Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

State of the ATTACK

From MITRE ATT&CKcon Power Hour January 2021

By Adam Pennington, ATT&CK Lead, MITRE

Adam leads ATT&CK at The MITRE Corporation and collected much of the intelligence leveraged in creating ATT&CK’s initial techniques. He has spent much of his 12 years with MITRE studying and preaching the use of deception for intelligence gathering. Prior to joining MITRE, Adam was a researcher at Carnegie Mellon’s Parallel Data Lab and earned his BS and MS degrees in Computer Science and Electrical and Computer Engineering as well as the 2017 Alumni Service Award from Carnegie Mellon University. Adam has presented and published in a number of venues including FIRST CTI, USENIX Security and ACM Transactions on Information and System Security.

  • Be the first to comment

  • Be the first to like this

State of the ATTACK

  1. 1. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 State of the ATT&CK® Adam Pennington ATT&CK Lead @_whatshisface
  2. 2. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 MITRE ATT&CK Remains Strong • Backed by 39 MITRE staff and a growing community Enterprise Cloud Network Devices ICS Mobile CAR Infrastructure Threat Intel Outreach
  3. 3. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 + =
  4. 4. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CKcon Power Hour by the Numbers • CFP open three weeks in August • 46% of submissions on the last day, 73% in the last four • 28% acceptance rate – Judged blind by 6 person PC • 4 90-minute sessions over 4 months • 20 talks
  5. 5. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CKcon Power Hour Themes likethecoins Cloud Mobile Threats ATT&CK Meme by @savvyspoon
  6. 6. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CKcon 2021
  7. 7. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 Looking Back on 2020 http://gunshowcomic.com/648
  8. 8. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 Impact Data Destruction Data Encrypted for Impact Defacement Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation © 2019 The MITRE Corporation. All rights reserved. Matrix current as of May 2019. Command and Control Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multiband Communication Multi-hop Proxy Multilayer Encryption Multi-Stage Channels Port Knocking Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Other Network Medium Exfiltration Over Command and Control Channel Exfiltration Over Alternative Protocol Exfiltration Over Physical Medium Scheduled Transfer Collection Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Lateral Movement AppleScript Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Credential Access Discovery Network Sniffing Account Manipulation Account Discovery Bash History Application Window Discovery Brute Force Credential Dumping Browser Bookmark Discovery Credentials in Files Credentials in Registry Domain Trust Discovery Exploitation for Credential Access File and Directory Discovery Network Service Scanning Forced Authentication Network Share Discovery Hooking Password Policy Discovery Input Capture Peripheral Device Discovery Input Prompt Permission Groups Discovery Kerberoasting Process Discovery Keychain Query Registry LLMNR/NBT-NS Poisoning and Relay Remote System Discovery Security Software Discovery Password Filter DLL System Information Discovery Private Keys Securityd Memory System Network Configuration Discovery Two-Factor Authentication Interception System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion Execution Persistence Privilege Escalation Defense Evasion Scheduled Task Binary Padding Launchctl Access Token Manipulation Local Job Scheduling Bypass User Account Control LSASS Driver Extra Window Memory Injection Trap Process Injection AppleScript DLL Search Order Hijacking CMSTP Image File Execution Options Injection Command-Line Interface Plist Modification Compiled HTML File Valid Accounts Control Panel Items Accessibility Features BITS Jobs Dynamic Data Exchange AppCert DLLs Clear Command History Execution through API AppInit DLLs CMSTP Execution through Module Load Application Shimming Code Signing Dylib Hijacking Compiled HTML File Exploitation for Client Execution File System Permissions Weakness Component Firmware Hooking Component Object Model Hijacking Graphical User Interface Launch Daemon InstallUtil New Service Control Panel Items Mshta Path Interception DCShadow PowerShell Port Monitors Deobfuscate/Decode Files or Information Regsvcs/Regasm Service Registry Permissions Weakness Regsvr32 Setuid and Setgid Disabling Security Tools Rundll32 Startup Items DLL Side-Loading Scripting Web Shell Execution Guardrails Service Execution .bash_profile and .bashrc Exploitation for Privilege Escalation Exploitation for Defense Evasion Signed Binary Proxy Execution Account Manipulation Authentication Package SID-History Injection File Deletion Signed Script Proxy Execution BITS Jobs Sudo File Permissions Modification Bootkit Sudo Caching Source Browser Extensions File System Logical Offsets Space after Filename Change Default File Association Gatekeeper Bypass Third-party Software Group Policy Modification Trusted Developer Utilities Component Firmware Hidden Files and Directories User Execution Component Object Model Hijacking Hidden Users Windows Management Instrumentation Hidden Window Create Account HISTCONTROL Windows Remote Management External Remote Services Indicator Blocking Hidden Files and Directories Indicator Removal from Tools XSL Script Processing Hypervisor Kernel Modules and Extensions Indicator Removal on Host Indirect Command Execution Launch Agent Install Root Certificate LC_LOAD_DYLIB Addition InstallUtil Login Item Launchctl Logon Scripts LC_MAIN Hijacking Modify Existing Service Masquerading Netsh Helper DLL Modify Registry Office Application Startup Mshta Port Knocking Network Share Connection Removal Rc.common Redundant Access NTFS File Attributes Registry Run Keys / Startup Folder Obfuscated Files or Information Re-opened Applications Port Knocking Screensaver Process Doppelgänging Security Support Provider Process Hollowing Shortcut Modification Redundant Access SIP and Trust Provider Hijacking Regsvcs/Regasm Regsvr32 System Firmware Rootkit Systemd Service Rundll32 Time Providers Scripting Windows Management Instrumentation Event Subscription Signed Binary Proxy Execution Signed Script Proxy Execution Winlogon Helper DLL SIP and Trust Provider Hijacking Software Packing Space after Filename Template Injection Timestomp Trusted Developer Utilities Virtualization/Sandbox Evasion Web Service XSL Script Processing Initial Access Drive-by Compromise Exploit Public-Facing Application External Remote Services Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Enterprise ATT&CK as of January 2020
  9. 9. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact Active Scanning Acquire Infrastructure Valid Accounts Scheduled Task/Job Modify Authentication Process System Service Discovery Remote Services Data from Local System Data Obfuscation Exfiltration Over Other Network Medium Data Destruction Gather Victim Host Information Compromise Accounts Replication Through Removable Media Windows Management Instrumentation Valid Accounts Network Sniffing Software Deployment Tools Data from Removable Media Fallback Channels Data Encrypted for Impact Gather Victim Identity Information Compromise Infrastructure Hijack Execution Flow OS Credential Dumping Application Window Discovery Application Layer Protocol Scheduled Transfer Service Stop Gather Victim Network Information Develop Capabilities Trusted Relationship Software Deployment Tools Boot or Logon Initialization Scripts Direct Volume Access Input Capture Replication Through Removable Media Input Capture Proxy Data Transfer Size Limits Inhibit System Recovery Gather Victim Org Information Establish Accounts Supply Chain Compromise Create or Modify System Process Rootkit Brute Force System Network Configuration Discovery Data Staged Communication Through Removable Media Exfiltration Over C2 Channel Defacement Phishing for Information Obtain Capabilities Hardware Additions Shared Modules Event Triggered Execution Obfuscated Files or Information Two-Factor Authentication Interception Internal Spearphishing Screen Capture Firmware Corruption Search Closed Sources Exploit Public-Facing Application User Execution Boot or Logon Autostart Execution System Owner/User Discovery Use Alternate Authentication Material Email Collection Web Service Exfiltration Over Physical Medium Resource Hijacking Search Open Technical Databases Exploitation for Client Execution Account Manipulation Process Injection Exploitation for Credential Access Clipboard Data Multi-Stage Channels Network Denial of Service Search Open Websites/Domains Phishing External Remote Services Access Token Manipulation System Network Connections Discovery Lateral Tool Transfer Automated Collection Ingress Tool Transfer Exfiltration Over Web Service Endpoint Denial of Service Search Victim-Owned Websites External Remote Services System Services Office Application Startup Group Policy Modification Steal Web Session Cookie Taint Shared Content Audio Capture Data Encoding System Shutdown/Reboot Drive-by Compromise Command and Scripting Interpreter Create Account Abuse Elevation Control Mechanism Unsecured Credentials Permission Groups Discovery Exploitation of Remote Services Video Capture Traffic Signaling Automated Exfiltration Account Access Removal Browser Extensions Exploitation for Privilege Escalation Indicator Removal on Host Credentials from Password Stores Man in the Browser Remote Access Software Exfiltration Over Alternative Protocol Disk Wipe Native API Traffic Signaling Modify Registry File and Directory Discovery Remote Service Session Hijacking Data from Information Repositories Dynamic Resolution Data Manipulation Inter-Process Communication BITS Jobs Trusted Developer Utilities Proxy Execution Steal or Forge Kerberos Tickets Non-Standard Port Transfer Data to Cloud Account Server Software Component Peripheral Device Discovery Man-in-the-Middle Protocol Tunneling Traffic Signaling Forced Authentication Archive Collected Data Encrypted Channel Pre-OS Boot Signed Script Proxy Execution Steal Application Access Token Network Share Discovery Data from Network Shared Drive Non-Application Layer Protocol Compromise Client Software Binary Password Policy Discovery Rogue Domain Controller Man-in-the-Middle Browser Bookmark Discovery Data from Cloud Storage Object Implant Container Image Indirect Command Execution Virtualization/Sandbox Evasion BITS Jobs XSL Script Processing Cloud Service Dashboard Template Injection Software Discovery File and Directory Permissions Modification Query Registry Remote System Discovery Virtualization/Sandbox Evasion Network Service Scanning Process Discovery Unused/Unsupported Cloud Regions System Information Discovery Use Alternate Authentication Material Account Discovery System Time Discovery Impair Defenses Domain Trust Discovery Hide Artifacts Cloud Service Discovery Masquerading Cloud Infrastructure Discovery Deobfuscate/Decode Files or Information Signed Binary Proxy Execution Exploitation for Defense Evasion Execution Guardrails Modify Cloud Compute Infrastructure Pre-OS Boot Subvert Trust Controls Enterprise ATT&CK as of January 2021
  10. 10. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 | 10 | Why Sub-Techniques? • Abstraction imbalance across knowledge base • Some techniques broad: Masquerading • Some techniques narrow: Rundll32 • Most common complaint over the past couple of years • Techniques have a lot of depth to them • Some don’t read beyond the name • An analytic per technique may not make coverage “green” • Technique overload • "Too many techniques!" • "The matrix is too big!"
  11. 11. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 | 11 | Credential Access Brute Force Forced Authentication Input Capture OS Credential Dumping Unsecured Credentials … OS Credential Dumping Sub-Techniques Security Accounts Manager LSA Secrets Cached Domain Credentials Proc Filesystem … Sub-Technique Example
  12. 12. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 | 12 | New Technique Page
  13. 13. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 | 13 | New Sub-Technique
  14. 14. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 | 14 | Sub-Techniques are Here! • Released March 31st in beta • Became ATT&CK on July 8th • Website • STIX/TAXII • ATT&CK Navigator • Crosswalks from pre sub- techniques to sub-techniques • Design & Philosophy paper
  15. 15. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21
  16. 16. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 The PRE Merge • Deprecated PRE-ATT&CK matrix for PRE Enterprise platform • 2 new Tactics • Criteria for inclusion: 1. Technical 2. Visible to some defenders 3. Evidence of adversary use
  17. 17. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 Reconnaissance • Actively or passively gathering information that can be used to support targeting. • 10 Techniques & 31 Sub-techniques • Split into what & how
  18. 18. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 Resource Development • Building, buying, or compromising resources that can be used during targeting • Infrastructure • Accounts • Capabilities • 6 Techniques & 26 Sub-techniques
  19. 19. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 PRE ATT&CK Merge Check out Mike and Jamie’s presentation from November’s ATT&CKcon Power Hour https://youtu.be/M_uG_hlmTcA
  20. 20. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK for Network Devices • New platform in Enterprise • Techniques against network infrastructure devices • 13 techniques and 15 sub- techniques added or modified
  21. 21. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK for ICS | 21 | Unique Adversary Goals Technology Differences Different Defenses
  22. 22. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ICS Matrix Released in Jan 2020
  23. 23. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK for ICS Check out Otis’s presentation from December’s ATT&CKcon Power Hour https://youtu.be/_GZwY-9QyFk
  24. 24. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 What’s Coming in 2021? Photo by Adam Pennington
  25. 25. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK for Enterprise • A period of stability • No changes as big as PRE or subs on our roadmap • Major releases currently planned in April and October Windows Mac Linux Cloud PRE Network Devices
  26. 26. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK for Enterprise (v8.2) • Several new/updated techniques in reporting around the SolarWinds supply chain injection/UNC2452 • Preview of techniques we’ve spotted, will add in v8.2 • http://bit.ly/ATTACKPRVW • Repo listing related reports with behaviors • http://bit.ly/ATTACKRPTS Both resources are being regularly updated
  27. 27. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK for Enterprise (Mac/Linux) • Ongoing effort to improve and expand coverage • Much less focus historically than Windows techniques • macOS updates targeted for April release • Linux updates targeted for October release
  28. 28. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK for Enterprise (Data Sources) • Currently a list of text strings • No details beyond the name • No descriptions behind them
  29. 29. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 Adding metadata to ATT&CK data sources Process Sysmon 1 Process Creation Sysmon 3 Network Connection Sysmon 8 Create Remote Thread Sysmon 10 Process Access Security 4688 Process Created Security 5156 Connection Permitted Process Process Created Process User Created Ip Process Connected To Ip User Connected To Process Process Wrote To Process Process Opened Process Network Connection Process Creation Process Modification Process Access Data Sources Components Relationships Event Logs
  30. 30. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK for Enterprise (Data Sources) For a deeper dive on data sources, check out Jose’s Data Sources posts on our blog https://medium.com/mitre-attack
  31. 31. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 Data Sources as an Object • Slated for Enterprise in April ATT&CK release • Should flow to other parts of ATT&CK over time • Will dramatically improve ATT&CK data sources
  32. 32. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK for Enterprise (Cloud) Current Future SaaS IaaS Additional SaaS platforms…. Additional SaaS platforms…. Additional SaaS platforms…. SaaS
  33. 33. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 Cloud Example Data Source Instance Data Source Data Component Events (API) Instance Creation Instance Modification Instance Deletion Instance Metadata Instance Enumeration Instance Start Instance Stop AWS: ListInstances AWS: ModifyInstanceAttribute AWS: TerminateInstances AWS: DescribeInstances AWS: RunInstances AWS: StartInstances AWS: StopInstances
  34. 34. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK for Enterprise (Cloud) Check out Jen’s presentation from October’s ATT&CKcon Power Hour https://youtu.be/a-xs5VqlcKI
  35. 35. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK for Enterprise (Containers) Microsoft’s ATT&CK-like “Threat Matrix for Kubernetes”
  36. 36. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK for Enterprise (Containers) Check out Jen’s ATT&CK for Containers post on https://medium.com/mitre-engenuity • Investigating adversary behaviors in containers • May be added to ATT&CK if enough intel exists • Please contribute!
  37. 37. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK Workbench • Tool allowing users to explore, create, annotate and share extensions of ATT&CK • Planned to become ATT&CK team’s content creation tool • Slated for release later in 2021
  38. 38. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 ATT&CK for Mobile & ICS Mobile ATT&CK Enterprise ATT&CK ICS ATT&CK It’s just • Working towards feature equity with Enterprise • ICS – Otis Alexander’s talk https://youtu.be/_GZwY-9QyFk • Mobile – Watch for upcoming blog posts
  39. 39. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 Thank you ATT&CK Community! | 39 | •Alain Homewood, Insomnia Security •Christoffer Strömblad •Alain Homewood, Insomnia Security •Alan Neville, @abnev •Alex Hinchliffe, Palo Alto Networks •Alfredo Abarca •Allen DeRyke, ICE •Anastasios Pingios •Andrew Smith, @jakx_ •Arie Olshtein, Check Point •AttackIQ •Aviran Hazum, Check Point •Avneet Singh •Barry Shteiman, Exabeam •Bart Parys •Bartosz Jerzman •Brian Prange •Brian Wiltse @evalstrings •Bryan Lee •Carlos Borges, @huntingneo, CIP •Casey Smith •Center for Threat-Informed Defense (CTID) •Chen Erlich, @chen_erlich, enSilo •Chris Roffe •Christiaan Beek, @ChristiaanBeek •Christopher Glyer, FireEye, @cglyer •Cody Thomas, SpecterOps •Craig Aitchison •CrowdStrike Falcon OverWatch •Cybereason Nocturnus, @nocturnus •Dan Nutting, @KerberToast •Daniel Oakley •Daniil Yugoslavskiy, @yugoslavskiy, Atomic Threat Coverage project •Daniyal Naeem, @Mrdaniyalnaeem •Darren Spruell •Dave Westgard •David Ferguson, CyberSponse •David Lu, Tripwire •David Routin •Deloitte Threat Library Team •Diogo Fernandes •Doron Karmi, @DoronKarmi •Drew Church, Splunk •Ed Williams, Trustwave, SpiderLabs •Edward Millington •Elastic •Elger Vinicius S. Rodrigues, @elgervinicius, CYBINT Centre •Elia Florio, Microsoft •Elly Searle, CrowdStrike — contributed to tactic definitions •Emile Kenning, Sophos •Emily Ratliff, IBM •Eric Kuehn, Secure Ideas •Erika Noerenberg, @gutterchurl, Carbon Black •Erye Hernandez, Palo Alto Networks •ESET •Expel •Felipe Espósito, @Pr0teus •Filip Kafka, ESET •FS-ISAC •George Allen, VMware Carbon Black •Hans Christoffer Gaardløs •Heather Linn •Ibrahim Ali Khan •Itamar Mizrahi, Cymptom •Itzik Kotler, SafeBreach •Ivan Sinyakov •Jacob Wilkin, Trustwave, SpiderLabs •Jacques Pluviose, @Jacqueswildy_IT •James Dunn, @jamdunnDFW, EY •Jan Miller, CrowdStrike •Jan Petrov, Citi •Janantha Marasinghe •Jannie Li, Microsoft Threat Intelligence Center (MSTIC) •Jared Atkinson, @jaredcatkinson •Jean-Ian Boutin, ESET •Jeff Sakowicz, Microsoft Identity Developer Platform Services (IDPM Services) •Jeremy Galloway •Jesse Brown, Red Canary •Jimmy Astle, @AstleJimmy, Carbon Black •Johann Rehberger •John Lambert, Microsoft Threat Intelligence Center •John Strand •Jon Sternstein, Stern Security •Jonathan Shimonovich, Check Point •Jose Luis Sánchez Martinez •Josh Abraham •Josh Campbell, Cyborg Security, @cyb0rgsecur1ty •Josh Day, Gigamon •Justin Warner, ICEBRG •Jörg Abraham, EclecticIQ •Kaspersky •Kobi Eisenkraft, Check Point •Lab52 by S2 Grupo •Lee Christensen, SpecterOps •Leo Loobeek, @leoloobeek •Leo Zhang, Trend Micro •Loic Jaquemet •Lorin Wu, Trend Micro •Lucas da Silva Pereira, @vulcanunsec, CIP •Lukáš Štefanko, ESET •Marc-Etienne M.Léveillé, ESET •Mark Wee •Martin Jirkal, ESET •Martin Smolár, ESET •Mathieu Tartare, ESET •Matias Nicolas Porolli, ESET •Matt Graeber, @mattifestation, SpecterOps •Matt Kelly, @breakersall •Matt Snyder, VMware •Matthew Demaske, Adaptforward •Matthew Molyett, @s1air, Cisco Talos •Matthieu Faou, ESET •McAfee •Menachem Shafran, XM Cyber •Michael Cox •Michal Dida, ESET •Microsoft Threat Intelligence Center (MSTIC) •Mike Kemmerer •Milos Stojadinovic •Mnemonic •Netskope •Nick Carr, FireEye •Nik Seetharaman, Palantir •Nishan Maharjan, @loki248 •Oddvar Moe, @oddvarmoe •Ofir Almkias, Cybereason •Ohad Mana, Check Point •Oleg Kolesnikov, Securonix •Oleg Skulkin, Group-IB •Oleksiy Gayda •Omkar Gudhate •Patrick Campbell, @pjcampbe11 •Paul Speulstra, AECOM Global Security Operations Center •Pedro Harrison •Phil Stokes, SentinelOne •Praetorian •Prashant Verma, Paladion •Rahmat Nurfauzi, @infosecn1nja, PT Xynexis International •Red Canary •RedHuntLabs, @redhuntlabs •Ricardo Dias •Richard Gold, Digital Shadows •Richie Cyrus, SpecterOps •Rick Cole, FireEye •Rob Smith •Robby Winchester, @robwinchester3 •Robert Falcone •Robert Simmons, @MalwareUtkonos •Rodrigo Garcia, Red Canary •Romain Dumont, ESET •Ryan Becwar •Ryan Benson, Exabeam •Sahar Shukrun •Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC) •SarathKumar Rajendran, Trimble Inc •Scott Knight, @sdotknight, VMware Carbon Black •Scott Lundgren, @5twenty9, Carbon Black •Sebastian Salla, McAfee •Sekhar Sarukkai; Prasad Somasamudram; Syed Ummar Farooqh (McAfee) •Sergey Persikov, Check Point •Shailesh Tiwary (Indian Army) •Shane Tully, @securitygypsy •Stefan Kanthak •Steven Du, Trend Micro •Sudhanshu Chauhan, @Sudhanshu_C •Sunny Neo •Suzy Schapperle - Microsoft Azure Red Team •Swapnil Kumbhar •Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC) •Sylvain Gil, Exabeam •Sébastien Ruel, CGI •Tatsuya Daitoku, Cyber Defense Institute, Inc. •Teodor Cimpoesu •Tim MalcomVetter •Toby Kohlenberg •Tom Ueltschi @c_APT_ure •Tony Lambert, Red Canary •Travis Smith, Tripwire •Trend Micro Incorporated •Tristan Bennett, Seamless Intelligence •Valerii Marchuk, Cybersecurity Help s.r.o. •Veeral Patel •Vikas Singh, Sophos •Vinayak Wadhwa, Lucideus •Vincent Le Toux •Walker Johnson •Wayne Silva, F-Secure Countercept •Wes Hurd •Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank •Yonatan Gotlib, Deep Instinct Individuals + orgs contributing to ATT&CK!
  40. 40. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-21 attack@mitre.org @MITREattack Adam Pennington @_whatshisface

×