Threat Research

What’s New in MITRE ATT&CK v18: Detection Strategies and Analytics Unveiled

Picussecurity
What’s New in MITRE ATT&CK v18: Detection Strategies and Analytics Unveiled

Keypoints

  • MITRE ATT&CK v18 replaces traditional Detections and Data Sources with Detection Strategies and Analytics to create a behavior-driven detection model.
  • The new two-tier model links high-level detection strategies to actionable analytics and specific data components for precise telemetry mapping.
  • Version 18 introduces 12 new techniques across Enterprise, Mobile, and ICS, including cloud exploitation, ESXi/shell execution, trust relationship modifications, and wireless sniffing.
  • Legacy static data sources (e.g., Command Execution, Application Log, Active Directory Object Modification) were deprecated and are now mapped to strategies and analytics.
  • Detection Strategies enable enhanced cross-tactic correlation—especially between Execution and Persistence—improving SOC detection engineering and threat hunting.
  • Proposed future changes include splitting the Defense Evasion tactic into Stealth and Impair Defenses and reclassifying several techniques (e.g., T1548, T1578.005).
  • Vendors like Picus Security are aligning their test libraries and detection content (vendor-neutral and vendor-specific) to validate controls against ATT&CK v18 analytics and strategies.

MITRE Techniques

  • [T1082 ] System Information Discovery – Mapped to detection strategy DET0525 and analytic AN0850 which performs “Behavioral detection of system and network discovery commands (e.g., correlating systeminfo, esxcli system version get, Get-ComputerInfo, or remote API calls)”
  • [DET0743 ] Detection of Wireless Sniffing – Strategy introduced to detect wireless sniffing behaviors (example listed as “Detection of Wireless Sniffing (DET0743)”)
  • [DET0458 ] Detection of Trust Relationship Modifications – Strategy for detecting modifications in domain or tenant trust relationships (“Detection of Trust Relationship Modifications in Domain or Tenant Policies (DET0458)”)
  • [T1548 ] Abuse Elevation: Abuse Control Mechanism – Noted reclassification: “moving from Defense Evasion to Privilege Escalation” as part of proposed tactic changes
  • [T1578.005 ] Modify Cloud Compute Configurations – Noted reclassification: “moving from Defense Evasion to Persistence” as part of proposed tactic changes

Indicators of Compromise

  • [Log Files ] examples of telemetry referenced for analytics – vpxd.log (vCenter Management), esxi:shell (Shell Execution)
  • [Data Components ] telemetry mappings used as detection inputs – DC0009 (Process Creation Event Log), DC0017 (Command Execution EDR telemetry), DC0025 (API Call system information query)
  • [Technique/Analytic IDs ] identifiers referenced as detection artifacts – DET0525, AN0850, DET0743, DET0458 (used to map strategies and analytics)

Read more: https://www.picussecurity.com/resource/blog/whats-new-in-mitre-attack-v18

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint