MITRE ATT&CK v19 Explained
Explore MITRE ATT&CK v19, including the retirement of Defense Evasion and the introduction of Stealth and Defense Impairment tactics.
MITRE ATT&CK Version 19 introduces one of the most significant structural changes to the framework in recent years. The long standing Defense Evasion (TA0005) tactic has been retired and replaced with two distinct tactics designed around adversary intent: Stealth and Defense Impairment.
This change provides defenders with greater clarity by separating techniques used to avoid detection from those used to actively weaken security controls. While both tactics help adversaries operate undetected, they require different defensive strategies and detection approaches.
Why MITRE Split Defense Evasion
Historically, Defense Evasion covered a broad range of techniques that included both hiding malicious activity and disabling security mechanisms. Over time, this created overlap between techniques with very different objectives.
MITRE's new approach asks a simple question:
Is the adversary hiding, or are they breaking something?
If an attacker is blending into normal activity while security controls remain operational, the technique belongs to Stealth.
If an attacker is actively degrading, disabling, or manipulating security controls, the technique belongs to Defense Impairment.
This distinction improves threat modeling, detection engineering, and incident response workflows.
Stealth (TA0005)
Stealth focuses on techniques that allow attackers to avoid detection while leaving defensive controls intact.
The objective is to blend into legitimate activity, disguise malicious actions, and reduce visibility without directly interfering with security tools.
Common Stealth Techniques
Abuse Elevation Control Mechanism (T1548)
Access Token Manipulation (T1134)
BITS Jobs (T1197)
Build Image on Host (T1612)
Debugger Evasion (T1622)
Delay Execution (T1678)
Deobfuscate or Decode Files or Information (T1140)
Deploy Container (T1610)
Direct Volume Access (T1006)
Execution Guardrails (T1480)
Exploitation for Stealth (T1211)
Hide Artifacts (T1564)
Hijack Execution Flow (T1574)
Masquerading (T1036)
Obfuscated Files or Information (T1027)
Process Injection (T1055)
Reflective Code Loading (T1620)
Rootkit (T1014)
System Binary Proxy Execution (T1218)
Trusted Developer Utilities Proxy Execution (T1127)
Valid Accounts (T1078)
Virtualization and Sandbox Evasion (T1497)
Web Service (T1102)
New Technique
Version 19 introduces:
Social Engineering (T1684)
This addition recognizes the increasing role of social engineering in helping adversaries remain unnoticed during operations.
Defense Impairment (TA0112)
Defense Impairment focuses on techniques that actively reduce the effectiveness of security controls.
Rather than hiding activity, attackers attempt to blind defenders by disabling monitoring, weakening security policies, or modifying protective mechanisms.
Common Defense Impairment Techniques
Disable or Modify System Firewall (T1686)
Disable or Modify Tools (T1685)
Downgrade Attack (T1689)
Modify Authentication Process (T1556)
Modify Cloud Compute Infrastructure (T1578)
Modify Cloud Resource Hierarchy (T1666)
Modify Registry (T1112)
Modify System Image (T1601)
Network Boundary Bridging (T1599)
Plist File Modification (T1647)
Rogue Domain Controller (T1207)
Subvert Trust Controls (T1553)
Domain or Tenant Policy Modification (T1484)
New Techniques
Version 19 introduces several new additions to Defense Impairment:
Exploitation for Defense Impairment (T1687)
Prevent Command History Logging (T1690)
Safe Mode Boot (T1688)
These techniques reflect modern attacker efforts to directly undermine security visibility and defensive capabilities.
Why This Matters for Defenders
The separation of Stealth and Defense Impairment provides security teams with a more accurate representation of attacker behavior.
Detection Engineering
Detection rules can now be mapped more precisely based on attacker objectives rather than broad evasion categories.
Threat Hunting
Hunters can differentiate between activities designed to conceal operations and activities intended to weaken defenses.
Incident Response
Understanding attacker intent allows responders to prioritize actions more effectively. An attacker disabling endpoint protection requires a different response than an attacker using masquerading or process injection.
Security Metrics
Organizations can better assess coverage gaps by measuring visibility across both Stealth and Defense Impairment tactics separately.
What Changes for Existing ATT&CK Mappings?
Organizations using ATT&CK for detection coverage, purple teaming, threat hunting, and reporting should review existing mappings.
Several techniques previously categorized under Defense Evasion have been reassigned based on intent. Detection use cases, dashboards, threat intelligence reports, and coverage assessments may require updates to align with Version 19.
Final Thoughts
MITRE ATT&CK Version 19 is more than a framework update. It represents a shift toward intent driven adversary modeling.
By retiring Defense Evasion and introducing Stealth and Defense Impairment, MITRE has created a structure that more accurately reflects how modern attackers operate and how defenders should respond.
For detection engineers, SOC analysts, threat hunters, and security architects, understanding this change is essential for maintaining accurate ATT&CK mappings and building effective defensive strategies.
Version 19 does not simply rename a tactic. It redraws the map for how defenders understand adversary behavior.
Related posts
- T1047-Windows Management Instrumentation
MITRE ATT&CK Technique: T1047-Windows Management Instrumentation. Detections, visibility, use cases and real world attack insights.
- T1078.004-Cloud Accounts
MITRE ATT&CK Technique: T1078.004-Cloud Accounts. Detections, visibility, use cases and real world attack insights.
- T1027-Obfuscated Files or Information
Trending MITRE ATT&CK Technique: T1027-Obfuscated Files or Information. Detections, visibility, use cases and real world attack insights.