Released: MITRE ATT&CK v17.0, now with ESXi attack TTPs

MITRE has released the latest version of its ATT&CK framework, which now also includes a new section (“matrix”) to cover the tactics, techniques and procedures (TTPs) used to target VMware ESXi hypervisors.

About MITRE ATT&CK

MITRE ATT&CK is a regularly updated public knowledge base that charts how real-world threat actors behave. It also lists known/documented threat actor groups, malware, and (some) past high-profile campaigns.

It’s used by cyber defenders and vendors for threat modeling and improving defenses, creating detection rules, creating playbooks to simulate attacks, map attackers’ actions to ATT&CK tactics, build attack timelines, identifying gaps in detection or response, etc.

ATT&CK’s matrices are divided in three main groups: Enterprise, Mobile, and ICS (industrial control systems).

MITRE ATT&CK v17.0

Until now, the Enterprise matrix covered pre-compromise TTPs, as well as those related to attacks on Windows, macOS, Linux, cloud services (office suites, identity providers, SaaS and IaaS platforms), network devices (formerly dubbed “network platform”) and containers.

MITRE ATT&CK v17.0 has added a new category under the Enterprise matrics: ESXi.

“While we initially considered creating a broader type-1 hypervisor platform, in the wild reporting on adversaries has been heavily focused on ESXi,” explained Amy L. Robertson, principal cyber threat intelligence engineer at MITRE.

“The virtualization landscape will continue to change, and while ESXi’s role may shift, attackers have been actively leveraging its capabilities, especially in ransomware and persistent access campaigns. As other hypervisors draw in more adversaries, we’ll work with the community to ensure that those behaviors are reflected. Our goal with this update is to provide defenders the tools they need to detect and mitigate threats in the environments adversaries are targeting today.”

The new ATT&CK version includes 34 existing techniques that have been adapted to the ESXi environment and adds four new ones.

“The platform scope centers around the core operating system of the ESXi hypervisor, with primary attention on the hypervisor itself, rather than vCenter Server which manages ESXi hosts. Techniques involving vCenter are only included when they directly impact ESXi, such as using vCenter to compromise the hypervisor,” Robertson pointed out.

Other changes and additions to the ATT&CK framework include:

New attacker behaviors (such as Malicious Copy and Paste, reflecting the advent of so-called Click-Fix attacks; Email Bombing used by attackers to prime targets for vishing attacks; Cloud Application Integration – adversaries abuse OAuth app integrations in SaaS platforms)
Merged overlapping techniques
New analytics “to help defenders more easily implement ways to identify intrusions earlier, track adversary pivots more effectively, and respond faster”
Mitigations featuring step-by-step implementation guidance, real-world use cases, integration tools
The Mobile matrix includes new techniques and tools used by attackers
The Cyber Threat Intelligence section has been updated with new attack groups and campaigns.

Related post: