From MITRE ATT&CKcon Power Hour January 2021 By Adam Pennington, ATT&CK Lead, MITRE Adam leads ATT&CK at The MITRE Corporation and collected much of the intelligence leveraged in creating ATT&CK’s initial techniques. He has spent much of his 12 years with MITRE studying and preaching the use of deception for intelligence gathering. Prior to joining MITRE, Adam was a researcher at Carnegie Mellon’s Parallel Data Lab and earned his BS and MS degrees in Computer Science and Electrical and Computer Engineering as well as the 2017 Alumni Service Award from Carnegie Mellon University. Adam has presented and published in a number of venues including FIRST CTI, USENIX Security and ACM Transactions on Information and System Security.

1. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
State of the ATT&CK®
Adam Pennington
ATT&CK Lead
@_whatshisface

2. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
MITRE ATT&CK Remains Strong
• Backed by 39 MITRE staff and a growing community
Enterprise Cloud
Network
Devices
ICS Mobile
CAR Infrastructure Threat Intel Outreach

3. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
+
=

4. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
ATT&CKcon Power Hour
by the Numbers
• CFP open three weeks in August
• 46% of submissions on the last day, 73% in the last four
• 28% acceptance rate – Judged blind by 6 person PC
• 4 90-minute sessions over 4 months
• 20 talks

5. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
ATT&CKcon Power Hour Themes
likethecoins
Cloud
Mobile
Threats
ATT&CK
Meme by @savvyspoon

6. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
ATT&CKcon 2021

7. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
Looking Back on 2020
http://gunshowcomic.com/648

8. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
Impact
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data
Manipulation
© 2019 The MITRE Corporation. All rights reserved. Matrix current as of May 2019.
Command and Control
Commonly Used Port
Communication Through
Removable Media
Connection Proxy
Custom Command and
Control Protocol
Custom Cryptographic
Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain Generation
Algorithms
Fallback Channels
Multiband Communication
Multi-hop Proxy
Multilayer Encryption
Multi-Stage Channels
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer
Protocol
Standard Cryptographic
Protocol
Standard Non-Application
Layer Protocol
Uncommonly Used Port
Web Service
Exfiltration
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Other
Network Medium
Exfiltration Over Command
and Control Channel
Exfiltration Over Alternative
Protocol
Exfiltration Over
Physical Medium
Scheduled Transfer
Collection
Audio Capture
Automated Collection
Clipboard Data
Data from Information
Repositories
Data from Local System
Data from Network
Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Lateral Movement
AppleScript
Application Deployment
Software
Distributed Component
Object Model
Exploitation of
Remote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through
Removable Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows Remote
Management
Credential Access Discovery
Network Sniffing
Account Manipulation Account Discovery
Bash History Application Window
Discovery
Brute Force
Credential Dumping Browser Bookmark
Discovery
Credentials in Files
Credentials in Registry Domain Trust Discovery
Exploitation for
Credential Access
File and Directory Discovery
Network Service Scanning
Forced Authentication Network Share Discovery
Hooking Password Policy Discovery
Input Capture Peripheral Device Discovery
Input Prompt Permission Groups Discovery
Kerberoasting Process Discovery
Keychain Query Registry
LLMNR/NBT-NS Poisoning
and Relay
Remote System Discovery
Security Software Discovery
Password Filter DLL System Information
Discovery
Private Keys
Securityd Memory System Network
Configuration Discovery
Two-Factor Authentication
Interception
System Network
Connections Discovery
System Owner/User
Discovery
System Service Discovery
System Time Discovery
Virtualization/Sandbox
Evasion
Execution Persistence Privilege Escalation Defense Evasion
Scheduled Task Binary Padding
Launchctl Access Token Manipulation
Local Job Scheduling Bypass User Account Control
LSASS Driver Extra Window Memory Injection
Trap Process Injection
AppleScript DLL Search Order Hijacking
CMSTP Image File Execution Options Injection
Command-Line Interface Plist Modification
Compiled HTML File Valid Accounts
Control Panel Items Accessibility Features BITS Jobs
Dynamic Data Exchange AppCert DLLs Clear Command History
Execution through API AppInit DLLs CMSTP
Execution through
Module Load
Application Shimming Code Signing
Dylib Hijacking Compiled HTML File
Exploitation for
Client Execution
File System Permissions Weakness Component Firmware
Hooking Component Object Model
Hijacking
Graphical User Interface Launch Daemon
InstallUtil New Service Control Panel Items
Mshta Path Interception DCShadow
PowerShell Port Monitors Deobfuscate/Decode Files
or Information
Regsvcs/Regasm Service Registry Permissions Weakness
Regsvr32 Setuid and Setgid Disabling Security Tools
Rundll32 Startup Items DLL Side-Loading
Scripting Web Shell Execution Guardrails
Service Execution .bash_profile and .bashrc Exploitation for
Privilege Escalation
Exploitation for
Defense Evasion
Signed Binary
Proxy Execution
Account Manipulation
Authentication Package SID-History Injection File Deletion
Signed Script
Proxy Execution
BITS Jobs Sudo File Permissions
Modification
Bootkit Sudo Caching
Source Browser Extensions File System Logical Offsets
Space after Filename Change Default
File Association
Gatekeeper Bypass
Third-party Software Group Policy Modification
Trusted Developer Utilities Component Firmware Hidden Files and Directories
User Execution Component Object
Model Hijacking
Hidden Users
Windows Management
Instrumentation
Hidden Window
Create Account HISTCONTROL
Windows Remote
Management
External Remote Services Indicator Blocking
Hidden Files and Directories Indicator Removal
from Tools
XSL Script Processing Hypervisor
Kernel Modules
and Extensions
Indicator Removal on Host
Indirect Command Execution
Launch Agent Install Root Certificate
LC_LOAD_DYLIB Addition InstallUtil
Login Item Launchctl
Logon Scripts LC_MAIN Hijacking
Modify Existing Service Masquerading
Netsh Helper DLL Modify Registry
Office Application Startup Mshta
Port Knocking Network Share Connection
Removal
Rc.common
Redundant Access NTFS File Attributes
Registry Run
Keys / Startup Folder
Obfuscated Files
or Information
Re-opened Applications Port Knocking
Screensaver Process Doppelgänging
Security Support Provider Process Hollowing
Shortcut Modification Redundant Access
SIP and Trust Provider
Hijacking
Regsvcs/Regasm
Regsvr32
System Firmware Rootkit
Systemd Service Rundll32
Time Providers Scripting
Windows Management
Instrumentation Event
Subscription
Signed Binary
Proxy Execution
Signed Script
Proxy Execution
Winlogon Helper DLL
SIP and Trust Provider
Hijacking
Software Packing
Space after Filename
Template Injection
Timestomp
Trusted Developer Utilities
Virtualization/Sandbox
Evasion
Web Service
XSL Script Processing
Initial Access
Drive-by Compromise
Exploit Public-Facing
Application
External Remote Services
Hardware Additions
Replication Through
Removable Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Enterprise ATT&CK
as of
January 2020

9. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
Active Scanning Acquire Infrastructure Valid Accounts Scheduled Task/Job Modify Authentication Process System Service Discovery Remote Services Data from Local System Data Obfuscation Exfiltration Over Other
Network Medium
Data Destruction
Gather Victim Host Information Compromise Accounts
Replication Through
Removable Media
Windows
Management
Instrumentation
Valid Accounts Network Sniffing
Software Deployment
Tools
Data from Removable
Media
Fallback Channels Data Encrypted for Impact
Gather Victim Identity Information Compromise Infrastructure Hijack Execution Flow OS Credential Dumping Application Window
Discovery
Application Layer Protocol Scheduled Transfer Service Stop
Gather Victim Network Information Develop Capabilities Trusted Relationship Software
Deployment
Tools
Boot or Logon Initialization Scripts Direct Volume Access Input Capture
Replication Through
Removable Media
Input Capture Proxy Data Transfer Size Limits Inhibit System Recovery
Gather Victim Org Information Establish Accounts Supply Chain Compromise Create or Modify System Process Rootkit Brute Force System Network
Configuration Discovery
Data Staged Communication Through
Removable Media
Exfiltration Over
C2 Channel
Defacement
Phishing for Information Obtain Capabilities Hardware Additions Shared Modules Event Triggered Execution Obfuscated Files or
Information
Two-Factor Authentication
Interception
Internal Spearphishing Screen Capture Firmware Corruption
Search Closed Sources Exploit Public-Facing
Application
User Execution Boot or Logon Autostart Execution System Owner/User
Discovery
Use Alternate
Authentication Material
Email Collection Web Service Exfiltration Over
Physical Medium
Resource Hijacking
Search Open Technical Databases Exploitation for
Client
Execution
Account Manipulation Process Injection
Exploitation for Credential
Access
Clipboard Data Multi-Stage Channels Network Denial of Service
Search Open Websites/Domains Phishing External Remote Services Access Token Manipulation System Network
Connections Discovery
Lateral Tool Transfer Automated Collection Ingress Tool Transfer Exfiltration Over
Web Service
Endpoint Denial of Service
Search Victim-Owned Websites External Remote Services System Services Office Application Startup Group Policy Modification Steal Web Session Cookie Taint Shared Content Audio Capture Data Encoding System Shutdown/Reboot
Drive-by Compromise Command and
Scripting
Interpreter
Create Account Abuse Elevation Control Mechanism Unsecured Credentials
Permission Groups
Discovery
Exploitation of Remote
Services
Video Capture Traffic Signaling Automated Exfiltration Account Access Removal
Browser Extensions Exploitation for Privilege
Escalation
Indicator Removal on Host Credentials from
Password Stores
Man in the Browser Remote Access Software Exfiltration Over
Alternative Protocol
Disk Wipe
Native API Traffic Signaling Modify Registry File and Directory
Discovery
Remote Service Session
Hijacking
Data from
Information Repositories
Dynamic Resolution Data Manipulation
Inter-Process
Communication
BITS Jobs Trusted Developer Utilities
Proxy Execution
Steal or Forge Kerberos
Tickets
Non-Standard Port Transfer Data to
Cloud Account
Server Software
Component
Peripheral Device
Discovery
Man-in-the-Middle Protocol Tunneling
Traffic Signaling Forced Authentication Archive Collected Data Encrypted Channel
Pre-OS Boot Signed Script Proxy
Execution
Steal Application Access
Token
Network Share Discovery Data from
Network Shared Drive
Non-Application
Layer Protocol
Compromise Client
Software Binary
Password Policy Discovery
Rogue Domain Controller Man-in-the-Middle Browser Bookmark
Discovery
Data from
Cloud Storage Object
Implant Container Image Indirect Command
Execution Virtualization/Sandbox
Evasion
BITS Jobs
XSL Script Processing Cloud Service Dashboard
Template Injection Software Discovery
File and Directory
Permissions Modification
Query Registry
Remote System Discovery
Virtualization/Sandbox
Evasion
Network Service Scanning
Process Discovery
Unused/Unsupported
Cloud Regions
System Information
Discovery
Use Alternate
Authentication Material
Account Discovery
System Time Discovery
Impair Defenses Domain Trust Discovery
Hide Artifacts Cloud Service Discovery
Masquerading Cloud Infrastructure Discovery
Deobfuscate/Decode Files
or Information
Signed Binary Proxy
Execution
Exploitation for
Defense Evasion
Execution Guardrails
Modify Cloud Compute
Infrastructure
Pre-OS Boot
Subvert Trust Controls
Enterprise ATT&CK
as of
January 2021

10. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
| 10 |
Why Sub-Techniques?
• Abstraction imbalance across knowledge base
• Some techniques broad: Masquerading
• Some techniques narrow: Rundll32
• Most common complaint over the past couple of years
• Techniques have a lot of depth to them
• Some don’t read beyond the name
• An analytic per technique may not make coverage “green”
• Technique overload
• "Too many techniques!"
• "The matrix is too big!"

11. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
| 11 |
Credential Access
Brute Force
Forced Authentication
Input Capture
OS Credential Dumping
Unsecured Credentials
…
OS Credential Dumping
Sub-Techniques
Security Accounts Manager
LSA Secrets
Cached Domain Credentials
Proc Filesystem
…
Sub-Technique Example

12. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
| 12 |
New Technique Page

13. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
| 13 |
New Sub-Technique

14. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
| 14 |
Sub-Techniques are Here!
• Released March 31st in beta
• Became ATT&CK on July 8th
• Website
• STIX/TAXII
• ATT&CK Navigator
• Crosswalks from pre sub-
techniques to sub-techniques
• Design & Philosophy paper

15. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21

16. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
The PRE Merge
• Deprecated PRE-ATT&CK matrix
for PRE Enterprise platform
• 2 new Tactics
• Criteria for inclusion:
1. Technical
2. Visible to some defenders
3. Evidence of adversary use

17. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
Reconnaissance
• Actively or passively gathering
information that can be used to
support targeting.
• 10 Techniques & 31 Sub-techniques
• Split into what & how

18. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
Resource Development
• Building, buying, or compromising
resources that can be used during
targeting
• Infrastructure
• Accounts
• Capabilities
• 6 Techniques & 26 Sub-techniques

19. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
PRE ATT&CK Merge
Check out Mike and Jamie’s presentation
from November’s ATT&CKcon Power Hour
https://youtu.be/M_uG_hlmTcA

20. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
ATT&CK for Network Devices
• New platform in Enterprise
• Techniques against network
infrastructure devices
• 13 techniques and 15 sub-
techniques added or modified

21. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
ATT&CK for ICS
| 21 |
Unique Adversary Goals Technology Differences Different Defenses

22. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
ICS Matrix Released in Jan 2020

23. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
ATT&CK for ICS
Check out Otis’s presentation from
December’s ATT&CKcon Power Hour
https://youtu.be/_GZwY-9QyFk

24. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
What’s Coming in 2021?
Photo by Adam Pennington

25. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
ATT&CK for Enterprise
• A period of stability
• No changes as big as PRE or subs on our roadmap
• Major releases currently planned in April and October
Windows Mac Linux Cloud PRE
Network
Devices

26. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
ATT&CK for Enterprise (v8.2)
• Several new/updated techniques in reporting around
the SolarWinds supply chain injection/UNC2452
• Preview of techniques we’ve spotted, will add in v8.2
• http://bit.ly/ATTACKPRVW
• Repo listing related reports with behaviors
• http://bit.ly/ATTACKRPTS
Both resources are being regularly updated

27. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
ATT&CK for Enterprise (Mac/Linux)
• Ongoing effort to improve and expand coverage
• Much less focus historically than Windows techniques
• macOS updates targeted for April release
• Linux updates targeted for October release

28. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
ATT&CK for Enterprise
(Data Sources)
• Currently a list of text strings
• No details beyond the name
• No descriptions behind them

29. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
Adding metadata to ATT&CK data sources
Process
Sysmon 1
Process Creation
Sysmon 3
Network Connection
Sysmon 8
Create Remote Thread
Sysmon 10
Process Access
Security 4688
Process Created
Security 5156
Connection Permitted
Process
Process Created
Process
User Created
Ip
Process
Connected
To
Ip
User
Connected
To
Process
Process Wrote To
Process
Process Opened
Process Network
Connection
Process Creation
Process
Modification
Process Access
Data Sources
Components
Relationships Event Logs

30. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
ATT&CK for Enterprise
(Data Sources)
For a deeper dive on data sources, check out Jose’s Data
Sources posts on our blog https://medium.com/mitre-attack

31. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
Data Sources as an Object
• Slated for Enterprise in
April ATT&CK release
• Should flow to other parts
of ATT&CK over time
• Will dramatically improve
ATT&CK data sources

32. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
ATT&CK for Enterprise (Cloud)
Current Future
SaaS
IaaS
Additional
SaaS
platforms….
Additional
SaaS
platforms….
Additional
SaaS
platforms….
SaaS

33. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
Cloud Example Data Source
Instance
Data Source Data Component Events (API)
Instance Creation
Instance Modification
Instance Deletion
Instance Metadata
Instance Enumeration
Instance Start
Instance Stop
AWS: ListInstances
AWS: ModifyInstanceAttribute
AWS: TerminateInstances
AWS: DescribeInstances
AWS: RunInstances
AWS: StartInstances
AWS: StopInstances

34. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
ATT&CK for Enterprise (Cloud)
Check out Jen’s presentation from
October’s ATT&CKcon Power Hour
https://youtu.be/a-xs5VqlcKI

35. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
ATT&CK for Enterprise (Containers)
Microsoft’s ATT&CK-like “Threat Matrix for Kubernetes”

36. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
ATT&CK for Enterprise (Containers)
Check out Jen’s ATT&CK for Containers post on
https://medium.com/mitre-engenuity
• Investigating adversary
behaviors in containers
• May be added to ATT&CK if
enough intel exists
• Please contribute!

37. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
ATT&CK Workbench
• Tool allowing users to explore,
create, annotate and share
extensions of ATT&CK
• Planned to become ATT&CK
team’s content creation tool
• Slated for release later in 2021

38. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
ATT&CK for Mobile & ICS
Mobile ATT&CK
Enterprise ATT&CK
ICS ATT&CK
It’s just
• Working towards feature equity with Enterprise
• ICS – Otis Alexander’s talk https://youtu.be/_GZwY-9QyFk
• Mobile – Watch for upcoming blog posts

39. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
Thank you ATT&CK Community!
| 39 |
•Alain Homewood, Insomnia Security
•Christoffer Strömblad
•Alain Homewood, Insomnia Security
•Alan Neville, @abnev
•Alex Hinchliffe, Palo Alto Networks
•Alfredo Abarca
•Allen DeRyke, ICE
•Anastasios Pingios
•Andrew Smith, @jakx_
•Arie Olshtein, Check Point
•AttackIQ
•Aviran Hazum, Check Point
•Avneet Singh
•Barry Shteiman, Exabeam
•Bart Parys
•Bartosz Jerzman
•Brian Prange
•Brian Wiltse @evalstrings
•Bryan Lee
•Carlos Borges, @huntingneo, CIP
•Casey Smith
•Center for Threat-Informed Defense (CTID)
•Chen Erlich, @chen_erlich, enSilo
•Chris Roffe
•Christiaan Beek, @ChristiaanBeek
•Christopher Glyer, FireEye, @cglyer
•Cody Thomas, SpecterOps
•Craig Aitchison
•CrowdStrike Falcon OverWatch
•Cybereason Nocturnus, @nocturnus
•Dan Nutting, @KerberToast
•Daniel Oakley
•Daniil Yugoslavskiy, @yugoslavskiy, Atomic Threat Coverage project
•Daniyal Naeem, @Mrdaniyalnaeem
•Darren Spruell
•Dave Westgard
•David Ferguson, CyberSponse
•David Lu, Tripwire
•David Routin
•Deloitte Threat Library Team
•Diogo Fernandes
•Doron Karmi, @DoronKarmi
•Drew Church, Splunk
•Ed Williams, Trustwave, SpiderLabs
•Edward Millington
•Elastic
•Elger Vinicius S. Rodrigues, @elgervinicius, CYBINT Centre
•Elia Florio, Microsoft
•Elly Searle, CrowdStrike — contributed to tactic definitions
•Emile Kenning, Sophos
•Emily Ratliff, IBM
•Eric Kuehn, Secure Ideas
•Erika Noerenberg, @gutterchurl, Carbon Black
•Erye Hernandez, Palo Alto Networks
•ESET
•Expel
•Felipe Espósito, @Pr0teus
•Filip Kafka, ESET
•FS-ISAC
•George Allen, VMware Carbon Black
•Hans Christoffer Gaardløs
•Heather Linn
•Ibrahim Ali Khan
•Itamar Mizrahi, Cymptom
•Itzik Kotler, SafeBreach
•Ivan Sinyakov
•Jacob Wilkin, Trustwave, SpiderLabs
•Jacques Pluviose, @Jacqueswildy_IT
•James Dunn, @jamdunnDFW, EY
•Jan Miller, CrowdStrike
•Jan Petrov, Citi
•Janantha Marasinghe
•Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
•Jared Atkinson, @jaredcatkinson
•Jean-Ian Boutin, ESET
•Jeff Sakowicz, Microsoft Identity Developer Platform Services (IDPM Services)
•Jeremy Galloway
•Jesse Brown, Red Canary
•Jimmy Astle, @AstleJimmy, Carbon Black
•Johann Rehberger
•John Lambert, Microsoft Threat Intelligence Center
•John Strand
•Jon Sternstein, Stern Security
•Jonathan Shimonovich, Check Point
•Jose Luis Sánchez Martinez
•Josh Abraham
•Josh Campbell, Cyborg Security, @cyb0rgsecur1ty
•Josh Day, Gigamon
•Justin Warner, ICEBRG
•Jörg Abraham, EclecticIQ
•Kaspersky
•Kobi Eisenkraft, Check Point
•Lab52 by S2 Grupo
•Lee Christensen, SpecterOps
•Leo Loobeek, @leoloobeek
•Leo Zhang, Trend Micro
•Loic Jaquemet
•Lorin Wu, Trend Micro
•Lucas da Silva Pereira, @vulcanunsec, CIP
•Lukáš Štefanko, ESET
•Marc-Etienne M.Léveillé, ESET
•Mark Wee
•Martin Jirkal, ESET
•Martin Smolár, ESET
•Mathieu Tartare, ESET
•Matias Nicolas Porolli, ESET
•Matt Graeber, @mattifestation, SpecterOps
•Matt Kelly, @breakersall
•Matt Snyder, VMware
•Matthew Demaske, Adaptforward
•Matthew Molyett, @s1air, Cisco Talos
•Matthieu Faou, ESET
•McAfee
•Menachem Shafran, XM Cyber
•Michael Cox
•Michal Dida, ESET
•Microsoft Threat Intelligence Center (MSTIC)
•Mike Kemmerer
•Milos Stojadinovic
•Mnemonic
•Netskope
•Nick Carr, FireEye
•Nik Seetharaman, Palantir
•Nishan Maharjan, @loki248
•Oddvar Moe, @oddvarmoe
•Ofir Almkias, Cybereason
•Ohad Mana, Check Point
•Oleg Kolesnikov, Securonix
•Oleg Skulkin, Group-IB
•Oleksiy Gayda
•Omkar Gudhate
•Patrick Campbell, @pjcampbe11
•Paul Speulstra, AECOM Global Security Operations Center
•Pedro Harrison
•Phil Stokes, SentinelOne
•Praetorian
•Prashant Verma, Paladion
•Rahmat Nurfauzi, @infosecn1nja, PT Xynexis International
•Red Canary
•RedHuntLabs, @redhuntlabs
•Ricardo Dias
•Richard Gold, Digital Shadows
•Richie Cyrus, SpecterOps
•Rick Cole, FireEye
•Rob Smith
•Robby Winchester, @robwinchester3
•Robert Falcone
•Robert Simmons, @MalwareUtkonos
•Rodrigo Garcia, Red Canary
•Romain Dumont, ESET
•Ryan Becwar
•Ryan Benson, Exabeam
•Sahar Shukrun
•Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC)
•SarathKumar Rajendran, Trimble Inc
•Scott Knight, @sdotknight, VMware Carbon Black
•Scott Lundgren, @5twenty9, Carbon Black
•Sebastian Salla, McAfee
•Sekhar Sarukkai; Prasad Somasamudram; Syed Ummar Farooqh (McAfee)
•Sergey Persikov, Check Point
•Shailesh Tiwary (Indian Army)
•Shane Tully, @securitygypsy
•Stefan Kanthak
•Steven Du, Trend Micro
•Sudhanshu Chauhan, @Sudhanshu_C
•Sunny Neo
•Suzy Schapperle - Microsoft Azure Red Team
•Swapnil Kumbhar
•Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)
•Sylvain Gil, Exabeam
•Sébastien Ruel, CGI
•Tatsuya Daitoku, Cyber Defense Institute, Inc.
•Teodor Cimpoesu
•Tim MalcomVetter
•Toby Kohlenberg
•Tom Ueltschi @c_APT_ure
•Tony Lambert, Red Canary
•Travis Smith, Tripwire
•Trend Micro Incorporated
•Tristan Bennett, Seamless Intelligence
•Valerii Marchuk, Cybersecurity Help s.r.o.
•Veeral Patel
•Vikas Singh, Sophos
•Vinayak Wadhwa, Lucideus
•Vincent Le Toux
•Walker Johnson
•Wayne Silva, F-Secure Countercept
•Wes Hurd
•Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
•Yonatan Gotlib, Deep Instinct
Individuals + orgs
contributing to
ATT&CK!

40. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
attack@mitre.org
@MITREattack
Adam Pennington
@_whatshisface