- Fixes support for ATT&CK versions with more than 1 digit (ex. ATT&CK v10).
- Uploaded layers without a specified ATT&CK version will no longer try and fail to load ATT&CK v1
- Uploaded layers uring ATT&CK v10 will no longer try and fail to load ATT&CK v1
- Downloaded layers using ATT&CK v10 will no longer claim they use ATT&CK v1
- The ATT&CK Navigator now has a dark theme. See issue #71.
- Added support for ATT&CK version 10
- Added data sources panel to the search and multiselect interface. See issue #341.
- Fixed a crash that would occur when loading a layer with annotations on a revoked/deprecated technique without explicitly defined tactics. See issue #354.
Version 4.4 of the Navigator restores Safari support provided you are using Safari version 14 or above.
- Combined the search and multiselect tools into a single UI. This allows groups, software, and mitigations to be filtered alongside techniques and improves usability by moving the interface to a sidebar. See issue #204.
- Added a workflow for upgrading layers created in older versions of ATT&CK to the current version. When upgrading a layer, users can view techniques have changed between the two versions and copy annotations to their new layer. See issue #181.
- Various improvement to UI aesthetics and usability. See issue #340.
- Reduced unnecessary whitespace to maximize screen real-estate for viewing the matrix.
- Layer tabs now hide themselves when the user scrolls to maximize screen real-estate for viewing the matrix.
- Improved favicon for standardization with other ATT&CK tools.
- Techniques are now shown when disabled (and hide-disabled is enabled) as long as any of any of their sub-techniques are enabled. See issue #298
- Users can disable the comment underline effect on techniques by editing
src/assets/config.json
or through the "Create Customized Navigator" interface. See issue #268. - Application now alerts the user when input STIX data contains an object missing an ATT&CK ID instead of failing silently. See issue #339.
- The application usage/help page can now be viewed directly on GitHub. See issue #179.
- The application changelog can now be viewed within the application. See issue #178.
- Fixed some issues where objects could appear in the wrong domain under specific circumstances. See issue #308, attack-website#310.
- Fixed issue with sorting when show aggregate score is enabled, where each technique's aggregate score was not correctly calculated into the sorting. See issue #295.
- The Navigator should now use the proper fonts when operating without an internet connection. See issue #278
- Fixed an issue when loading multiple default layers where subsequent layers would only appear after the user interacted with the first one. See issue #288.
- Updated Safari browser warning to show only for versions 13 and below. See issue #306.
- Added aggregate scores. Aggregate scores are computed using the score of the technique and all sub-techniques using an "aggregate function" -- min, max, average, or sum. The aggregate score is used to determine the color of the technique in place of the technique's score. Aggregate scores are an optional feature and can be enabled in the "matrix configuration" dropdown. See issue #269.
- The user can now suppress the "leave site?" warning dialog in the config file or via the "create a customized navigator" interface. See issue #267.
- Added an (optional) configurable banner. The new "banner" field of the config file can be used to customize the banner content with full HTML support. See issue #205.
- Added button to toolbar to only expand all sub-techniques that are annotated. See issue #256.
- Added support for displaying STIX 2.1 notes in tooltips. Notes attached to techniques in the STIX data are indicated in the same style as a comment. As of version 4.3 the ATT&CK Navigator supports STIX 2.1, but cannot load data from a TAXII 2.1 server.
- Consolidated AWS, GCP, and Azure platforms into IaaS platform to integrate upcoming release of ATT&CK. See issue #252.
- Fixed a bug in exporting matrix to Excel sheet, where the style of all sub-techniques with the same name in a column were incorrectly over-ridden by the style of the first sub-technique in its name. See issue #270.
Layer file format updated to version 4.2. This update is fully backwards compatible with the layer format v4.1 since the added fields are optional. See layers/LAYERFORMATv4_2.md for the full specification.
This update adds settings for aggregate scores to the layout object of the layer:
showAggregateScores
, which turns on the featurecountUnscored
which counts unscored techniques as if their score was0
when the aggregate function is "average".aggregateFunction
: the desired aggregation function: "average", "min", "max" or "sum".
With version 4.2 of the Navigator we are retiring support for the Safari browser. A bug introduced in the sub-techniques release (version 3.0) causes safari to freeze when changing between layer tabs (see issue #251). We have been unable to determine the cause of the freeze and thus are retiring official support for that browser. Safari users can continue to use the application, but will be warned of possible freezes via a dialog window when they first load the app.
Refactored the implementation of tabs to reduce performance issues when opening multiple layers. See issue #254.
- The help page and SVG exporter have been moved to a pop-up window and are no longer displayed in a separate tab.
- The process for displaying layer information and switching between tabs has been refactored. The creation and deletion of new DOM elements for each tab has been removed. Previously, the contents of each tab were contained in their own DOM element causing poor performance.
- Fixed a bug preventing required packages to install when building the Navigator through Docker. See issue #258.
- Added support for section breaks in the technique metadata format (see Layer File Format Changes below for more details). See issue #189.
- Layer domain and version is displayed under "layer information" in layer controls and in a new "domain" section of the SVG exporter. See issue #239.
- Layer loading is indicated in the UI when uploading a layer from the Open Existing Layer interface. See issue #240.
- Fixed a bug causing platform selection to be overwritten when uploading a layer. See issue #245.
- Updated packages to fix vulnerabilities. You may need to
npm install
on your local instance due to new package versions.
Layer file format updated to version 4.1. This update is fully backwards compatible with layer format v4.0 since the added field is optional. See layers/LAYERFORMATv4_1.md for the full specification.
This update adds an optional divider
object to the metadata
format on technique objects. Each object in the metadata array must either be of the schema {"name": string, "value": string}
or {"divider": boolean}
. A separator will be displayed in the metadata tooltip where the divider
property occurs in the list of metadata.
- Added support for mixed domains and versions. Layers can be opened with different ATT&CK versions and now support custom domains. See issues #180 and #182.
- Users can specify the ATT&CK version and domain for each layer. A layer with no specified ATT&CK version will default to the current version.
- Updated "create new layer" interface to provide access to previous versions of ATT&CK.
- Added ability to upgrade an uploaded layer to the current version of ATT&CK.
- Updated "create layer from other layers" interface to restrict layer operations to layers of the same domain and version.
- Updated config file to support dynamic domains and versions. See Config File Format Changes below for more details.
- Removed the pre-ATT&CK domain from the Navigator in support of the next ATT&CK release. See issue #207.
- Removed the "stages" section of the filters and layer format.
- Allow legend and gradient to be hidden separately within the legend block in the SVG exporter. See pull request #223.
- Added functionality to select or deselect techniques in a tactic. This can be done within the context menu or by clicking on the name of the tactic and follows the user's behavior preference under "selection behavior" in the selection controls.
- Fixed a bug preventing layer downloads with an empty metadata field. See issue #214.
- Fixed a bug in "selection controls" where searching for techniques would return results only from the first enabled search property. See issue #200.
- Fixed a bug in the "default layers" interface where specifying multiple default layers would open the last specified URL multiple times. See issue #199.
- SVG exporter now honors layer sorting configuration. See pull request #223.
- Removed text selection in tactic headers. See issue #222.
- Long descriptions or names of layers will no longer cause the text exporter to hang. See issue #224.
Layer file format updated to version 4.0. Older versions can still be loaded in the Navigator, but will no longer display the Pre-ATT&CK domain. See layers/LAYERFORMATv4.md for the full specification.
- ATT&CK version 8.0 removed the pre-ATT&CK domain, which became two tactics tagged with the
PRE
platform in the Enterprise domain. Thestages
section of filters have been removed to reflect this migration. - Replaced
version
field withversions
object which specifies the layer format, Navigator, and ATT&CK content versions in support of the mixed domains and versions update.
To support the addition of dynamic versions and domains, paths to ATT&CK STIX bundles have been migrated to versions
. See issue #183.
- The
versions
object defines a list of ATT&CK content versions. Each version must conform the schema{"name": string, "domains": []}
, where thedomains
property is a list of domain objects. - Each domain specifies a
name
and adata
string array, where thedata
array is a list of paths to one or more STIX bundles. Multiple paths can be added to thedata
property to view multiple STIX bundles in a single layer instance.
For example, the paths to the current version of the Enterprise and Mobile domains are now formatted as follows:
"versions": [
{
"name": "ATT&CK v8",
"domains": [
{
"name": "Enterprise",
"data": ["https://raw.githubusercontent.com/mitre/cti/ATT%26CK-v8.0/enterprise-attack/enterprise-attack.json"]
},
{
"name": "Mobile",
"data": ["https://raw.githubusercontent.com/mitre/cti/ATT%26CK-v8.0/mobile-attack/mobile-attack.json"]
}
]
}
]
The taxii_server
property has been removed. It was previously used to specify the TAXII server URL and data collections for loading content into the Navigator. This is now done by defining a taxii_url
and taxii_collection
property in place of the data
property for a given domain. For more information on TAXII support see Loading content from a TAXII server in the readme.
ATT&CK Navigator v3.0 and v3.1 includes support for sub-techniques as well as improvements to several of the interfaces and a major refactor of the codebase. The format for the config file and layer file have both changed: please see Layer File Format Changes and Config File Format Changes below for more details.
If you want to continue using the non-sub-techniques Navigator, please use the v2.3.2 release for local instances or the following live instances of Navigator v2.3.2:
- Added options to the SVG Export feature for the visibility of sub-techniques. See issue #142.
- Added update layers for March 2020 sub-techniques release. See issue #138.
- Updated the sample layers with sub-techniques support. See issue #138. We've also released some scripts on our attack-scripts repository corresponding to the sample layers.
- Extended search interface to support searching for techniques based on data sources. See pull request #158.
- Added show/hide all sub-techniques controls under "layer controls". See issue #141.
- Updated the "select sub-techniques with parent" control under the "selection controls" dropdown. Sub-techniques will be selected independently by default. See issue #140.
- Added sub-techniques as a configurable Navigator feature. Sub-technique features can be disabled by editing the
src/assets/config.json
file or using the "create customized Navigator" interface. See issue #112. - Added option to select scoring gradient from an existing layer in the create layers from other layers interface. See issue #121.
- Added options to select all techniques and sub-techniques with or without annotations in the context menu. See issue #163.
- Added a subscript to the techniques which have sub-techniques. The subscript shows the number of sub-techniques under a given technique and how many of those sub-techniques have annotations while the parent is collapsed. See issue #162.
- Updated the layout of the metadata value key. See issue #189.
- Added internet explorer support for the sub-techniques features, and improved Edge compatibility. See issue #135.
- Fixes a bug causing metadata values to be displayed improperly in tooltips. See issue #153.
- Fixes a bug in which the default layer link input field in the "create customized Navigator" interface loses focus between characters. See issue #136.
- Fixed a bug in "create layer from other layers" interface where inheriting filters would cause the application to crash. See issue #168.
- Fixed a bug where editing the gradient would also change the most recently selected gradient preset. See issue #167.
- Removed duplicate threat group entries from the multiselect interface and included sub-techniques in the selection of techniques related to threat groups, software, or mitigations. See issue #164.
- Fixed a bug in the sub-technique sidebar that occurs when all sub-techniques of a given technique are disabled and hidden. See issue #177.
- Removed the comment underscore from the sub-technique count subscript. See issue #184.
- Added support for sub-techniques. Techniques with sub-techniques will be denoted by a sidebar which can be clicked to show and hide the sub-techniques. Techniques without sub-techniques will not have a sidebar.
- Added "select techniques with subtechniques" control under "selection controls" dropdown, augmenting the existing "select techniques across tactics" control. By default sub-techniques will be selected along with their parents. See issue #114.
- Added "matrix layout" controls (replacing "view mode"). See issues #117 and #110.
- Supports multiple layouts, and the codebase is designed to allow the addition of new layouts easily. Added the following layouts:
- the "side" layout (default), where sub-techniques appear in an adjacent sub-column of the tactic.
- the "flat" layout, where sub-techniques appear nested beneath their parent similar to an indented list.
- the "mini" layout, where sub-techniques are grouped into boxes with their parent. The "mini" layout is designed to give an overview of the layer without the comparatively complex structure of the "flat" or "side" views.
- Added the ability to show technique ATT&CK IDs and names simultaneously, individually or not at all. The "mini" layout overrides this selection. See issue #124.
- Supports multiple layouts, and the codebase is designed to allow the addition of new layouts easily. Added the following layouts:
- Added mitigations to multi-select interface. Improved the extensibility of the multi-select interface to make future additions easier. See issue #119.
- Major redesign of the "render layer to SVG" feature.
- Added support for sub-techniques. See issue #116.
- Users will no longer need to specify text size manually. Algorithms have been implemented to automatically maximize text size without overflowing the text container. The overall layer rendering process will take slightly longer than previously due to these computations.
- Header and legend (docked and undocked) should be much more aesthetic.
- Score gradient legend should now show which scores map to which colors more clearly.
- Context menu and tooltip improvements:
- Visual style has been improved for both context menu and tooltip.
- Tooltip is now statically placed instead of following the cursor, which increases the performance of the UI.
- Context menu should now orient itself better to avoid falling off the edge of the screen.
- Added "view tactic" button to context menu.
- Major improvements to the flexibility of the custom context menu items feature. See Config File Format Changes below for more details.
- Major refactor to many components should reduce lag and improve extensibility and maintainability of the application.
- Export to excel: added sub-techniques support. See issue #115.
- Minor UI improvements to the search feature. Disabled regex in search because it was very buggy. See issue #113.
Layer file format updated to version 3.0. Older versions can still be loaded in the Navigator, but may have degraded functionality.
- Removed "viewMode" enumeration in favor of "layout" object. viewMode will get parsed into a layout configuration automatically, but the conversion is not perfect since the layouts have changed.
- Added "showSubtechniques" field to technique objects.
- Added "selectSubtechniquesWithParent" field setting the default value of the "select techniques with subtechniques" control.
The sub-techniques update of ATT&CK caused many techniques to be replaced by sub-techniques. Since the replacing sub-techniques have different IDs, many layers created before the sub-technques release will still be using IDs for the replaced techniques and therefore won't work properly in the new version even if the annotation format is correct. A conversion script is provided in the layers folder which both updates layers to the most recent format and also updates technique IDs to their replacers where possible. There are however a few cases which won't be caught:
- Cases where techniques which have been replaced by multiple sub-techniques are ignored entirely due to limitations in the remapping data.
- Cases where the
tactic
field was present but the replacing technique is not in that tactic. Runpython3 update-layers.py -h
for usage instructions.
Custom context menu feature has been significantly improved for flexibility. See Adding Custom Context Menu Options in the readme for more details on the format.
- Updated substitution string to use double curly braces (e.g
{{technique_name}}
) instead of tildes. - Added ability to specify STIX IDs in addition to ATT&CK IDs.
- Added the option to add a sub-technique specific URL (
subtechnique_url
) which will apply only to sub-techniques. When using the sub-technique URL, extra sub-technique related substitutions are available.
The "features" structure is used to enable/disable specific Navigator features. It also propagates to the "create customized Navigator" interface.
- "toggle_view_mode" has been renamed to "layout_controls" and the description updated accordingly.
- Updated trademark to registered trademark and updated copyright date to 2020. See issue #125.
- Updated help page to be more legible by increasing page margins.
- Fixes a bug where default_layers specified in
config.json
would not load. See pull request #109.
- Technique comments will now be included with excel exports as cell notes. Note: you may have to re-install your node modules for this functionality to be present. See issue #55.
- Minor matrix layout improvements. See issue #106.
- Added support for cloud platforms. See issue #101. Also see Layer File Format Changes, below.
- In layer-layer operations, score expressions are now calculated on an element-by-element basis. This allows the use of normal math operators (e.g
a * b
) instead of the elementwise operators (e.ga .* b
) as were previously required. It also enables the use of ternary operations such asa > b ? a : 0
. See issue #81. - Added the ability to specify multiple default layers in the layerURL query param. See issue #75.
- Multiselect interface should now correctly sort software and groups which start with lowercase letters. See issue #99.
- Layer loading should now provide more accurate descriptions when errors are encountered. See issue #103.
- Updated packages to fix vulnerabilities.
Layer file format updated to version 2.2. Older versions can still be loaded in the Navigator, and this update is fully backwards compatible with Version 2.1. See layers/LAYERFORMATv2_2md for the full v2.2 specification.
- Added the following cloud platforms to the set of acceptable enterprise platforms: "AWS", "GCP", "Azure", "Azure AD", "Office 365", "SaaS".
- Updated Enterprise and Mobile platforms to match their format as seen elsewhere in ATT&CK. This change is fully backwards compatible, and if the old format is detected it will automatically be updated to the new format.
- "android" becomes "Android"
- "ios" becomes "iOS"
- "windows" becomes "Windows"
- "linux" becomes "Linux"
- "mac" becomes "macOS"
- Updated Angular from 7.0.4 to 8.0.0.
- Updated other packages to fix vulnerabilities.
- Removed node-sass rebuild in dockerfile.
- Fixed improperly formatted domains in the April 2019 update layers which were causing issues when exporting those layers to excel.
- Updated readme to better highlight documentation for using the Navigator offline. See issue #82.
- Added the ability to associate user defined metadata to layers and techniques inside of a layer. Metadata can be useful for supporting other applications that use the layer format, or for attaching additional descriptive fields to the layer. The UI supports editing metadata on the layer itself, but not on techniques. Metadata on techniques is shown in tooltips. See Layer File Format Changes, below, for more detail on the metadata format. Also see issue #52.
- Removed
assets/tacticsData.json
. The Navigator now populates its tactics data fromx-mitre-matrix
andx-mitre-tactic
objects in the bundled data. The fieldtactics_url
was removed fromassets/config.json
-- see Changes to config.json Format, below. See issue #63.
- Multiple layers can now be loaded on initialization. A change to the
config.json
file format allows the user to specify a list of default layers. Default layers can be loaded from the assets directory or from the web. see Changes to config.json Format, below. Also see issue #67. - The color of the underline denoting comments can now be configured in the
config.json
file. Setting the color to"transparent"
will remove comment underlines altogether. See *Changes to config.json Format`, below. Also see issue #53.
- Updated links in the documentation to match the new ATT&CK website. See issue #62.
- Updated Angular to version 7.0.6. This fixes some installation issues with OSX. We also updated several other packages. Please note that our new version of Angular requires a newer nodejs version, so try updating your node installation if errors occur after updating the Navigator. See issues #61, #70.
- Merged a pull request which fixed a bug where default layers would have placeholder layer titles. See #54.
- Negative scores can now be entered in the UI. See #72.
default_layer
has been renamed to default_layers
. The string property location
has been replaced with the string[] property urls
. The strings in urls
should be the paths to the default layers you wish to load -- now multiple default layers can be loaded. You can also now load default layers from the assets folder and from the web simultaneously, although the order of the tabs is not guaranteed (since layer loading over HTTP is asynchronous).
To update previous default layers configuration to the new format, see the following example:
"default_layer": {
"enabled": true,
"location": "assets/example.json"
}
Becomes:
"default_layers": {
"enabled": true,
"urls": [
"assets/example.json"
]
}
The comment_color
field has been added, which specifies the color for comment underlines.
assets/tacticsData.json
was removed, and the config.json
field tactics_url
along with it. tacticsData.json
was previously used to specify the pre-attack, mitre-enterprise and mitre-mobile tactics.
This is now done using the x-mitre-matrix
and x-mitre-tactic
objects in the bundled data retrieved from the taxii server or from our static cti github. x-mitre-matrix
specifies the order of tactics and x-mitre-tactic
specifies the actual tactic data.
If you are using your own dataset with the Navigator an update to your source data will be required. The ATT&CK Navigator uses bundled data, where objects with types attack-pattern
, intrusion-set
, malware
, tool
, relationship
, x-mitre-tactic
, and x-mitre-matrix
are all stored in a single array. This array is now required to contain x-mitre-tactic
and x-mitre-matrix
objects, which were not previously used.
The data retrieved from enterprise_attack_url
, pre_attack_url
, and mobile_data_url
follow the proper bundle format. Please use them as a guide for how to format your own datasets.
Also, please note that multiple matrices are only supported for mitre-mobile
, which expects matrices with the names Device Access
and Network-Based Effects
so that we can order the tactics in the UI properly.
Layer file format updated to version 2.1. This update is fully backwards compatible with layer format v2.0 since all the added fields are optional. See layers/LAYERFORMATv2_1.md for the full v2.1 specification.
This update constitutes the addition of metadata
fields to the layer and technique objects. Metadata can be used to support other applications using the layer format, or to add additional descriptive fields to layers or techniques. Metadata is formatted as an array, and each piece of metadata in the array must conform to the schema {"name": string, "value": string}
.
- Added export to MS Excel feature. Saves the current layer to MS excel (xlsx) format. See issue #52.
- In the export to SVG interface you can now hide the technique count in the tactic column headers. See issue #47.
- Updated the README to explain how to use local files to populate the Navigator. See issue #51.
- Fixed constant score expressions (e.g
10
,5+5
) featuring no variables being ignored in the create layers from other layers interface. Now if a constant score expression is present it assigns uniformly to all techniques. See issue #49. - Fixed a bug when uploading layers with no tactic field on techniques. When said field was absent, techniques with
enabled=false
were not initially hidden whenhideDisabled=true
. See issue #50.
- Added TAXII client to pull ATT&CK content from a TAXII server. By default, the Navigator now loads content from the MITRE CTI TAXII server hosted at https://cti-taxii.mitre.org. See issue #4.
- Added a new interface to render layers to a downloadable SVG image. See issue #2.
- Added the ability to load a default layer when the Navigator initializes. See issues #14, #26.
- Added configurable background color to tactics row. See issue #32.
- Added customizable legend to describe the meanings of the colors of annotated techniques. See issues #24, #28, #31, #33.
- Added the ability to disable navigator features, either by editing the
src/assets/config.json
or using the new create customized Navigator interface. See issues #21, #41. - Added the ability to specify new items in the technique context menu by editing
src/assets/config.json
. These new items can be used to hyperlink to a specified URL, with parameters for the technique ID or tactic. See issue #9. - Added a button to remove all annotations on the currently selected techniques. See issue #12.
- Added a new "super compact" view option, which removes all technique text in order to fit as much content on the screen as possible. See issue #11.
- Depreciated and revoked objects in the STIX content are no longer displayed in the Navigator. See issue #30.
- Uploading a layer with of a different version number than expected warns the user that some annotations or configurations may not be restored. See issue #27.
- A dockerfile was added to the repo, and documentation on using the Navigator with Docker was added to the readme. See issue #15.
- CTRL (windows) and CMD (mac) can now be used to select multiple techniques in addition to shift (both platforms). See issue #18.
- Gradient colors are now fully customizable, using a color picker instead of a dropdown menu.
- Tooltips resize to fit long comments. If the comment exceeds a certain length the overflow is cut and denoted by ellipses (...). See issue #23.
- Tooltips, dropdown menus and context menus now align themselves automatically to avoid going off the edge of the page.
- Tab performance is now more independent of the number and content of other tabs.
- Uploaded layer files now typecheck their fields to make sure everything is formatted properly. Fields which do not meet the layer format specification are set to their default value.
Layer file format updated to version 2.0. Older layer versions can still be loaded by the Navigator, however some fields may no longer be supported. See layers/LAYERFORMATv2.md for the full v2.0 specification.
- Replaced the
viewFullTable
field (boolean) with theviewMode
field (number) in order to support the "super compact" view option. See issue #11.- If
viewFullTable
is present in a layer file uploaded to the v2.0 Navigator it will be ignored. - To upgrade a layer without losing the view mode, see the following mappings:
viewFullTable: true
becomesviewMode: 0
.viewFullTable: false
becomesviewMode: 1
.
- If
- Added
legendItems
field, an array of legendItem objects (also specified in document). This field can be used to specify the contents of the legend. See issue #24. - Added
showTacticRowBackground
field (boolean), which if true sets the layer to display a background color for the tactic row. See issue #32. - Added
tacticRowBackground
field (string), which holds the hex color value to show as the background to the tactic row ifshowTacticRowBackground
is true. See issue #32. - Added
selectTechniquesAcrossTactics
field (boolean), which if false allows the user to select instances of techniques which are found in multiple tactics individually. See issue #8. - Added
tactic
field (string) to the Technique object. If this field is present, the annotations will only be applied to the instance of the technique in the specified tactic. If this field is not present, the annotations will be applied to all instances of the technique. See issue #8.