JeffJLi
commented
5 years ago FIXED: Issue originally addressed on 12/03/2018. Enabling techniques were not included in the results on the website, though some data still existed within the JSON version of the results. MITRE examined each vendor’s JSON files, and removed any unintentional detections from enabling techniques, as was the original intent of ATT&CK Evaluations. Microsoft, Sentinel One, and RSA had erroneously included detection categories for some enabling techniques, and these were removed to ensure consistency of results
Some vendors have detections for enabling techniques (i.e., PowerShell, API, Command-Line Interface) within their JSON results files. Enabling techniques were used during the evaluation to describe the mechanism for executing the technique under test, but were not considered within the scope of the evaluation. Any data in the JSON for enabling techniques needed to be removed to ensure consistency across vendor JSON results.
Note: 16.F.1 Command-Line Interface is considered a primary technique for that step, and was not changed in this process.