ATT&CK v19: The Defense Evasion Split, ICS Sub-Techniques, New AI & Social Engineering Coverage, and Detection Strategies for Mobile
ATT&CK v19 is here, and this release has been a long time coming. The Defense Evasion split is finally in place, detection strategies are expanding into Mobile, the ICS matrix is getting more granular with sub-techniques, and CTI coverage is expanding with AI-orchestrated espionage, Iranian hacktivism, and cross-domain wipers.
This release reflects how we’re continuing to work toward making ATT&CK more actionable at every layer, from clearer tactic boundaries that map to how defenders actually think about adversary intent, new ICS sub-techniques that make broad behaviors more precise and operationally useful, Mobile detection guidance that gives you a traceable path from behavior to telemetry, and threat coverage that reflects where adversaries are operating.
For all the details on our updates/additions across Techniques, Software, Groups and Campaigns take a look at our release notes, our detailed changelog, or our changelog.json.
Enterprise | The Long-Awaited Split and Emerging Technique Coverage
Defense Evasion Split
This release features the long-awaited Defense Evasion split. As we highlighted in the Defense Evasion split blog, Defense Evasion has been covering adversaries blending in and breaking security tools under one tactic, but these are fundamentally different behaviors that need different defensive responses. The split comes down to adversary intent: Stealth covers behavioral camouflage (living-off-the-land binaries, obfuscated payloads, masquerading as legitimate processes), where your defenses are intact and you’re just not seeing the threat. Defense Impairment features the behaviors that are breaking your defenses (killing EDRs, tampering with logging pipelines, subverting trust controls). Some behaviors will be mapped to both Stealth and Defense Impairment, because adversaries don’t always operate cleanly within one intent, and our goal is always to reflect how the adversary is operating.
Here’s the biggest changes you‘ll find from the Defense Evasion split:
- Tactic Changes: Defense Evasion (TA0005) is retired and replaced by two tactics: Stealth, which inherits the tactic ID TA0005, and Defense Impairment, which receives a new tactic ID, TA0112.
- Where Techniques Landed: Most techniques previously in Defense Evasion landed in Stealth or Defense Impairment. A small number of techniques left the former Defense Evasion space entirely, moving to tactics like Lateral Movement, Privilege Escalation, or Execution where they more accurately belong.
- Most Significant Structural Change: T1562: Impair Defenses The parent technique and several sub-techniques have been revoked and restructured. T1562, T1562.001, and T1562.006 are merged into a new parent T1685: Disable or Modify Tools. The remaining sub-techniques have been revoked and reissued under new IDs within Defense Impairment. So, if you’re mapping to any T1562 sub-technique, check the crosswalk, because they have new technique IDs.
- New Techniques: Two new techniques were added: T1687: Exploitation for Defense Impairment and a new sub-technique T1686.003: Disable or Modify System Firewall: Windows Host Firewall.
- Social Engineering Reorganization T1656: Impersonation and T1672: Email Spoofing have been revoked and reissued as sub-techniques under the new technique, T1684: Social Engineering in Stealth (more about this technique below!)
In addition to ATT&CK’s usual changelog, we’re releasing a Defense Evasion split crosswalk in JSON and CSV formats with a detailed breakdown of what happened to every (sub-)technique in Defense Evasion, as well as the handful of new techniques that resulted from this restructuring.
How to Read the Crosswalk
Each entry provides a map for the v18 Defense Evasion techniques or sub-techniques. It shows what the (sub-)technique was called and how it was identified in v18, what it maps to in v19, and whether the change was a relocation or a more significant restructuring.
- The v18 fields (attack-v18-attack-id, attack-v18-stix-id, attack-v18-name, attack-v18-tactics) tell you what you started with.
- The v19 fields (attack-v19-attack-id, attack-v19-stix-id, attack-v19-name, attack-v19-tactics) tell you what to use now. If the item is now a sub-technique, attack-v19-parent-attack-id tells you which parent it belongs under.
Tactic Change Types: Where the Behavior Moved
The tactic-change-type is focused around placement, and tells you where the behavior moved during the split. Tactic change types are:
- Left Defense Evasion
- These techniques now only reside in tactics other than Stealth or Defense Impairment.
- Remains TA0005 -> renamed Stealth (the technique stayed in the TA0005 space, now renamed Stealth)
- These techniques now reside only in Stealth (which retained the tactic ID TA0005).
- Remains TA0005 -> renamed Stealth, and Remains in Additional Tactic(s).
- These techniques are part of the Stealth tactic as well as other tactic(s)
- Moved to new tactic Defense Impairment
- These techniques now reside only in Defense Impairment.
- Moved to new tactic Defense Impairment, and Remains in Additional Tactic(s)
- These techniques are part of the Defense Impairment tactic as well as other tactic(s).
Technique Change Type: How the ATT&CK Object Changed
The technique-change-type outlines if and how the structure of the ATT&CK object has changed. The crosswalk contains a field explaining what change occurred at the technique level. Some are more straightforward:
- Remains a technique
- Remains a sub-technique
Others need more careful review due to more significant structural change:
- Became a new technique
- Became a new sub-technique
- Merged into a new technique
- Revoked [TXXX]
Using the Crosswalk
Step 1: Update Fields
For content mapped to the October 2025/v18 version of ATT&CK, replace the existing technique ID from the value in the attack-v18-attack-id field with the value in the attack-v19-attack-id field. Next, update the technique name to match the attack-v19-name which, for sub-techniques, is formatted as :. If you map to tactics, replace the tactics with the list from attack-v19-tactics. And if you use STIX IDs, replace attack-v18-stix-id with attack-v19-stix-id.
Step 2: Review straightforward Remaps (tactic changes only)
For techniques with the technique-change-type “remains technique” and “remains sub-technique”, the technique IDs have not changed. The only change resulting from updating the fields outlined in Step 1 above is the tactic(s) change for all techniques and a handful of technique name have been changed:
- T1211 is now “Exploitation for Stealth”
- T1222.001 is now “File and Directory Permissions Modification: Windows Permissions”
- T1222.002 is now “File and Directory Permissions Modification: Linux and Mac Permissions”
Step 3: Review the Revoked, Reissued, and Merged Techniques
A few techniques were revoked and reissued under new IDs or reorganized under new parent techniques. For these techniques, the tactics will change (similar to Step 2) but the technique IDs will also change. This covers any technique with the technique-change-type starting with “Revoked.”
Three legacy (sub-)techniques (T1562: Impair Defenses, T1562.001: Impair Defenses: Disable or Modify Tools and Impair Defenses: Indicator Blocking) were merged into a new technique, T1685: Disable or Modify Tools. T1685 revokes all three of the former (sub-)techniques. This covers the technique-change-type“Merged into new technique.”
Step 4: Review and Map to the New Techniques
Three new (sub-)techniques arose from the restructuring from the Defense Evasion split. The technique-change-type for these techniques are “Became a new sub-technique” or “Became a new technique.” The new (sub-)techniques are:
· T1687: Exploitation for Defense Impairment is the complement to T1211: Exploitation for Stealth (formerly named Exploitation for Defense Evasion). If you have existing mappings to T1211: Exploitation for Defense Evasion consider whether they should remain mapped to T1211 or be remapped to T1687 based on whether the adversary’s goal.
· T1686.003: Disable or Modify System Firewall: Windows Host Firewall is a new platform-specific sub-technique for T1686. Review any mappings to T1686 (formerly T1562.004) and re-map Windows specific mappings to T1686.003.
· T1684: Social Engineering is a new parent technique under which Impersonation and Email Spoofing have been moved as sub-techniques. If you’ve followed the steps above, your mappings for T1684.001 and T1684.002 will be good to go, since those techniques were revoked and reissued with new technique ids. And if you’ve been looking for a place to put other social engineering mappings, now you have one with T1684.
TL;DR
· If you want the fastest transition plan, start by updating the entries that only require a tactic change.
· Next review anything tied to T1562, revoked IDs, or merged content carefully, because these are the places where the there’s more significant restructuring.
· Finally, look at the newly introduced techniques and families, since they capture the deeper logic behind the split, in addition to the mechanics of ID changes.
AI & Social Engineering Techniques
We’re continuing to look at where ATT&CK coverage should expand, especially around adversarial uses of AI and social engineering. In both cases, the core question is the same: does this behavior create meaningfully different detection, defensive response or analytic requirements, or is it a variation of something already covered?
What changes across the matrix is the kind of value that coverage provides. In Reconnaissance and Resource Development, most of the activity happens outside the target environment, so the value of coverage is more centered on analytical and operational completeness than on direct detection. For techniques deeper in the post-compromise phases, distinct detection logic and defensive response requirements are critical. But question is the same for both pre-and-post. Does covering this behavior help defenders understand, track, and respond to adversary operations more effectively than not covering it?
For AI-enabled techniques, the key distinction is the behavior, not the tool. AI can make those activities faster, cheaper, and easier to scale, but it doesn’t fundamentally change what the adversary is doing (yet!). ATT&CK focuses on the behavior, so the coverage stays useful even as specific models and platforms change. For social engineering, the same logic applies, as adversaries have always tried to manipulate people into taking specific actions. Whether that happens over email, voice, or a help desk call, the channel is how the behavior is delivered, and the behavior itself is the manipulation. Treating that manipulation as its own behavior category makes it easier for defenders to track and respond to it, no matter how adversaries implement it.
This release adds new techniques that expand ATT&CK coverage on how adversaries use AI to scale and target research and content generation, and introduces a new parent technique for social engineering:
- On the AI-enabled front, T1682: Query Public AI Services covers how adversaries query public AI services for target research and operational planning at scale. T1683: Generate Content and its sub-techniques, T1683.001: Written Content and T1683.002: Audio-Visual Content, outline adversary content development, whether its created manually, sourced through third parties, or AI-assisted.
- On the social engineering side, we created a new parent technique, T1684: Social Engineering, to capture how adversaries use trust-based manipulation across multiple channels (email, voice, collaboration platforms, and help desk interactions) to prompt user-authorized actions like password resets, MFA changes, financial approvals, or sensitive information disclosure. Two existing techniques, T1684.001: Impersonation and T1684.002: Email Spoofing, were restructured as sub-techniques. The detection strategy for T1684 (DET0899) focuses on a common pattern with trust-manipulation behaviors, specifically how suspicious interactions are followed by an unusual user-authorized action (such as a password reset, OAuth consent grant, financial approval, or credential submission). Because that pattern holds across channels, defenders can build detection logic around the behavior itself instead of each channel variant.
Industrial Control Systems (ICS) | Getting Granular with Firmware, Communications, and Discovery Sub-Techniques
ICS sub-techniques have arrived, and the structural updates aim to make technique coverage more actionable.
Five new parent techniques were reorganized with sub-techniques:
- T1693: Modify Firmware , separates system firmware (T1693.001) and module firmware (T1693.002) into sub-techniques, to reflect the different detection surfaces and integrity monitoring requirements.
- T1695: Block Communications is an entirely new technique, that subsumed Serial COM (T1695.001) as a sub-technique, and now also includes two (new) subs, Ethernet (T1695.002), and Wi-Fi (T1695.003), with the three covering disruption at the physical and network layer.
- T0846: Remote System Discovery gained three subs, now distinguishing Port Scan (T0846.001), Broadcast Discovery (T0846.002), and Multicast Discovery (T0846.003).
- T0843: Program Download also gained sub-techniques that capture the distinct ways adversaries push modifications to programmable controllers, including Download All (T0843.001), Online Edit (T0843.002), and Program Append (T0843.003).
- T1694: Insecure Credentials was added as a new technique, with Default Credentials (T1694.001) and Hardcoded Credentials (T1694.002) organized as sub-techniques to reflect the different ways adversaries abuse built-in credentials.
For the full picture of all (sub-) technique changes, check out the ICS crosswalk.
Using the ICS Crosswalk
Step 1: Update the Mapped Fields
For any row with record-type Existing Technique, start by replacing the old ATT&CK ID in attack-v18-attack-id with the value in attack-v19-attack-id. Then update the name from attack-v18-name to attack-v19-name. If the row includes a value in attack-v19-parent-attack-id, the technique now belongs under that parent in v19. If you use STIX IDs, replace attack-v18-stix-id with attack-v19-stix-id.
Step 2: Remap the Techniques that Became Sub-techniques
The most straightforward updates are the rows marked “Became new sub-technique”. These are direct remaps from old standalone techniques to new sub-techniques under a new parent. For these entries, you should replace the old technique ID with the new sub-technique ID and note the new parent.
Step 3: Review the Existing Parent Techniques
Some techniques are marked “Remains a technique”. These do not need to be remapped to a different ATT&CK technique ID. They just have new sub-techniques available. Review the sub-techniques to determine if you have enough detail to map to them.
Step 4: Add the New Parent Techniques
The crosswalk also introduces several rows with record-type “New Technique” and technique-change-type “Became a new technique”. These are the new parent techniques that organize the updated structure.
Defense | Detection Strategies Go Mobile
Last year we launched Detection Strategies, to give defenders practical, platform-specific guidance for detecting ATT&CK techniques. Each strategy connects adversary behavior to analytics, log sources, and tunable parameters, helping teams trace a clear path from technique to telemetry across different environments. With this release, the Defense and Mobile team started applying detection strategies to the Mobile domain. The Mobile detection strategies are designed to reflect that visibility is often uneven and depends on the tools defenders have in place. To address that, the guidance is vendor-agnostic and built to work across a wide range of visibility levels. It focuses on realistic signals defenders can observe, regardless of which mobile security products they use, and clearly calls out where visibility gaps remain and what telemetry or tooling would be needed to fill them.
Take T1398: Boot or Logon Initialization Scripts as an example. The prior guidance for T1398 told you Verified Boot, SafetyNet, and Knox could detect unauthorized modifications. That’s true, but not immediately actionable. The new detection strategy (DET0654) gives you two platform-specific analytics, explicit log sources, and tunable parameters, one for Android, one for iOS. That’s the difference between knowing something is detectable and knowing how to detect it.
- On Android, AN1739 focuses on boot persistence by surfacing suspicious changes to initialization components and linking them to script activity after startup. Indicators may include attestation failures, unexpected edits to protected init paths, or privileged processes starting from unusual locations.
- On iOS, AN1740 is designed to catch persistence that shows up through altered launch behavior. That can include unauthorized launchd changes or sideloaded apps that begin running automatically at boot or unlock, with signals such as modified plist files, binaries executing from non-Apple locations, or apps remaining active in unexpected background modes.
Detection strategies were completed for most Mobile techniques across Initial Access and Execution, and the remaining detection strategies will be included in the next release. If you would like to contribute to the Mobile detection strategy effort, let us know!
Cyber Threat Intelligence | From Tehran to Beijing, AI to Supply Chain, Cross-domain to Commodity tools
This release features coverage where we’re seeing operationally relevant activity tied to a number of spaces: Iran and the People’s Republic of China (PRC), early signals in AI-enabled tradecraft, cross-domain campaigns, software supply chain compromises, threats in underreported regions, and commodity crimeware.
- Iranian-linked updates include Void Manticore (G1055), the Ministry Of Intelligence Service (MOIS)-linked actor behind the Handala Hack, Karma, and Homeland Justice (C0038) personas, now targeting U.S. organizations including the 2026 Stryker Corporation attack; and MOIS-linked actor MuddyWater (G0069) was updated with software (MuddyViper (S9032), RustyWater (S9037), Fooder (9033)), reflecting continued tooling evolution with stealthier behaviors.
- Two entries mark emerging behaviors in AI-enabled threat activity: first up, a campaign entry for the Anthropic AI-orchestrated Campaign (C0062), capturing GTG-1002, an assessed People’s Republic of China (PRC) state-directed cluster, using Claude Code to autonomously execute most of a multi-stage espionage campaign. A software entry was added for LAMEHUG (S9035), the first malware documented to query a large language model in live operations, associated with APT28 (G0007).
- PRC-linked coverage expands in two directions: more visibility into known actors, and more depth around the infrastructure they exploit. We added MirrorFace (G1054), as a menuPass (G0045) subgroup, alongside its campaign, Operation AkaiRyū (C0060). The Volt Typhoon (G1017) entry reflects initial access broker updates, and new software entries (BRICKSTORM (S9015), BRUSHFIRE (S9011), SPAWNCHIMERA (S9024), PHASEJAM (S9014), DRYHOOK (S9013)) associated with PRC-nexus actors add to the Network Devices matrix and provide extended procedures on edge device targeting.
- Cross-domain coverage highlights that boundaries are just constructs, with the Hamas-affiliated threat actor WIRTE (G0090) pivoting to disruptive operations since October 2023, and the SameCoin (S9030) wiper added as a cross-domain entry spanning Enterprise and Mobile matrices. We also mapped the 2025 Poland Wiper Attacks (C0063) as a cross-domain ICS and Enterprise campaign, along with DynoWiper (S9038) and LazyWiper (S9039), documenting the first destructive wiper deployment against a NATO member’s energy infrastructure.
- Supply chain coverage expands around the familiar legitimate ecosystems being turned into delivery channels. GlassWorm (S9010), and Shai-Hulud (S9008), capture the 2025 npm ecosystem compromises that harvested developer credentials across hundreds of organizations, and TruffleHog (S9009) was included for its weaponized role within the Shai-Hulud infection chain.
- In Latin America, the financially-motivated APT-C-36 (G0099) continues to rely on commodity crimeware, reflected in the additions of HeartCrypt (S9018), and PureCrypter (S9019). SystemBC (S9012) was added to reflect its widespread use as a SOCKS5 proxy and persistent backdoor in ransomware operations, and the Evilginx2 (S9003) entry features an adversary-in-the-middle phishing framework used to capture authenticated session cookies and bypass MFA in real time. Qilin (S1242) now includes Linux support, capturing how its extending operations beyond Windows to target Linux infrastructure, including VMware ESXi servers.
For a full listing of the new Groups, Campaigns, and Software added as part of the release, check out the Release Notes.
Mobile | Spyware, Banking Trojans, and AI-Enabled Voice Phishing
The Mobile team coordinated with Defense to update detection strategies, and the matrix also gained three new software entries and an expanded technique.
VajraSpy (S9006) was added as a new Android spyware that is used in targeted espionage campaigns against Android users, capable of intercepting messages, exfiltrating contacts and files, and activating the device camera and microphone. DocSwap (S9005) is a new Android malware entry associated with Kimsuky (G0094), disguised as a document viewing app to covertly collect device information and exfiltrate data from targeted victims. Crocodilus (S9004) is added as a new Android banking trojan that hijacks accessibility services to display fake login screens over legitimate banking and cryptocurrency apps, stealing credentials and giving attackers real-time control of the device.
T1660: Phishing was updated to capture AI-enabled voice phishing, where adversaries use AI to clone voices to impersonate trusted individuals in real-time calls or urgent voicemails, making victims significantly more likely to hand over credentials, send money, or fall for other malicious actions.
Closing
As always, ATT&CK is a community effort, and this release reflects contributions, feedback, and conversations from defenders, analysts, and researchers across the community and we’re grateful for every one of them. If you spot something missing, have a correction, or want to flag a behavior we should be tracking, reach out. The framework stays useful because people tell us where it isn’t.
There’s more to come this year, and we’ll be publishing the Roadmap soon to provide more details on changes and additions across ATT&CK. ATT&CKcon 7.0 will take place October 27–28 and we’ll be releasing the Call For Papers in the next couple of months. We’re looking forward to hearing from the community on the research, operational insights, and use cases!
For the full picture of what changed in this release, head to attack.mitre.org. You can also connect with us via Email, or on LinkedIn, Slack, Bluesky, or X.
©2026 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited. 25–01291–2.