MITRE ATT&CK® - A knowledge base for describing the behavior of adversaries. Replying/Following/Re-tweeting ≠ endorsement. @ attack.mitre.org

McLean, VA
Pinned Tweet
The ATT&CKcon 7.0 CFP is open! Want to join us on stage in McLean, VA, 10/28-29? We'd love to hear your best talk ideas with some relation to ATT&CK so we can bring to the wider ATT&CK community. To submit to go openconf.org/ATTACKcon2026/ before 8pm ET on July 2nd.
2
4
14
4,786
As we get ready to release ATT&CK for Containers with our April release, we realize that some have gotten the wrong impression of how we’ve scoped Containers. We wanted to share some examples of upcoming groups and techniques starting with our new Ever Given group page.
23
331
897
How do I get started using ATT&CK? No matter how sophisticated your team is, our new blog series can help you figure that out. First up, @likethecoins walks through a couple ideas for how you can use ATT&CK for #threatintel. medium.com/mitre-attack/gett…
271
555
It has launched! ATT&CK v9 is now live with refactored data sources, ATT&CK for Containers, Google Workspace as a platform and more! Read about new data sources and the rest of the update at medium.com/mitre-attack/atta… or attack.mitre.org/resources/u… for new/changed groups/techniques/sw.
12
250
473
Our beta release of ATT&CK with sub-techniques is now live! We’ve just posted a blog post by @stromcoffee with links to all of the new resources and advice on how to leverage them (medium.com/mitre-attack/atta…). You can also check out the new site itself at attack.mitre.org/beta/.

ALT @jamieantisocial

23
309
482
The April 2019 release of ATT&CK is out including our new Impact tactic! We’ve added 21 techniques (14 in Impact), 8 groups, and 50 software entries. We’ve also made updates to 22 techniques, 31 groups, and 46 software entries. attack.mitre.org/resources/u…
9
291
452
Wow! Much excite!
10
29
399
We're excited to release results of our first round of ATT&CK Evaluations at attackevals.mitre.org/! Check out @FrankDuff's blog: medium.com/mitre-attack/firs…. Thanks to our initial cohort: @CarbonBlack_Inc @CounterTack @CrowdStrike @EndgameInc @WDSecurity @RSAsecurity @SentinelOne
7
294
410
We've released the ATT&CK Navigator today. It's a tool to help build color coded ATT&CK Matrix visualizations and heat maps, but now with less MS Excel mitre.org/capabilities/cyber…
7
231
378
We’re excited to announce the initial release of ATT&CK for ICS! You can find the ICS knowledge base at attack.mitre.org/ics and a blog post by @ojalexander explaining what’s new and different here: medium.com/mitre-attack/laun…. Thank you to everyone who helped us get here!
12
246
358
October ATT&CK update is now live! Lots of new information in Enterprise, Mobile, Groups, and Software. The biggest change is the addition of ATT&CK for Cloud! Thanks to all our contributors that helped with this update and with Cloud! Update notes: attack.mitre.org/resources/u…
7
247
358
We'd like to announce a new Tactic for Enterprise ATT@CK, "Flailing". We feel that these 10 new techniques describe a number of adversary and red team behaviors previously missing from ATT@CK. New techniques include "Invalid Accounts", "Commonly Blocked Port", "Visible Windows."
14
173
356
Subs have launched! After 3 months in beta, ATT&CK with Sub-Techniques (with some small fixes) has become... ATT&CK (attack.mitre.org/resources/u…). We've published a new blog post (medium.com/mitre-attack/atta…) that includes updates to our crosswalk format and describes what's changed.

ALT shooting star dog GIF by Nebraska Humane Society

9
228
338
It's a v10! Our release of ATT&CK is now live with new data source objects, improvements to macOS/Linux content, and updates across the board. A new blog post describes the changes at  medium.com/mitre-attack/intr… or you can go to attack.mitre.org/resources/u… and score it yourself!

ALT Bruno Mars GIF

7
171
316
You've been asking, and our #ATTACKcon content is now live! Check out videos here (piped.video/playlist?list=PL…) and slides here (slideshare.net/attackcon2018…). We've also put out a blog post taking a look back and revealing the results of our voting on techniques: medium.com/mitre-attack/atta…
2
203
309
(T1850) Non-Standard Port
3
47
273
Is your child texting about ATT&CK? Know the signs: LOL: Loading Offensive Libraries ETA: Exploiting Trusted Accounts SMH: Signing Malicious HTAs WYD: Writing YARA Detections
7
109
273
The Enterprise ATT&CK site has been updated! ATT&CK is now up to 188 techniques attack.mitre.org/wiki/Main_P… Here's a list of changes: attack.mitre.org/wiki/Update…
5
193
263
Deciding which technique to map got you down? Today @CISAgov released an open-source tool to guide you through mapping to ATT&CK. We were happy to provide help and advice in coordination with @MITREcorp's #HSSEDI. 📰 cisa.gov/news-events/news/he… 🔧github.com/cisagov/decider
3
106
249
51,125
The ATT&CK Evaluations Team just released the APT29 Evaluation results, DIY Eval profile, and a Joystick update on attackevals.mitre.org. Check out medium.com/mitre-attack/atta… to learn more about the evaluation process.
2
160
251
Want to buy 100% ATT&CK? Now introducing non-fungible techniques. 💀🚨♥️ Today, 4/1, we’re excited to announce the launch of the Bored ATT&CK Technique Club! We’ll be minting Technique NFTs throughout the day, initial drop ready to go now. 💎🤲 opensea.io/collection/bored-…
13
59
250
CALDERA 2.0 is now live at github.com/mitre/caldera, with support for new platforms, better usability, and an all new Chain mode. If you're at @BSidesCharm today, you can hear all about the new version and see a live demo from @privateducky at 3pm in Track 1.
4
135
247
aaaaand it's up! ATT&CK now includes the first version of Mac and Linux techniques. attack.mitre.org/wiki/Main_P…
7
214
243
The present everyone has been asking for is here! We are excited to announce the beta release of TRAM, a tool to aid in mapping reports to ATT&CK. You can find our latest blog with all the details at medium.com/mitre-attack/auto… and the source code at github.com/mitre-attack/tram.
4
130
242
In light of an uptick in recent technique submissions, we’d like to announce a new ATT&CK model, ATT&CK for Teleworking. We encourage the community to share Tactic and Technique suggestions via Twitter DM or mention, each must include a procedure in the form of a gif.
23
93
228
To help you see what was new in our April 2018 update, check out the Navigator layer we just added at github.com/mitre/attack-navi… (green=new and yellow=modified). Read more about the "why" behind the Initial Access change here: mitre.org/capabilities/cyber… @MITREpreattack
5
140
224
For anyone looking to write ATT&CK-based detections, the process @verri3r describes could help: hypothesize, find out what's normal, write, test, peer review, and publish. Also a solid list of ?s to ask about what execution should look like. redcanary.com/blog/detection… @redcanaryco
2
93
226
We're releasing an ATT&CK for Enterprise content update next Tuesday 1/16. There may be a bit of downtime. Some highlights: 19 new techniques (now up to 188), nine new groups, 26 new software entries. Many techniques and groups have had content updates
2
138
211
Congrats to @mitrecorp InfoSec on their release of Shield (shield.mitre.org)! Shield is a knowledge base of active defense and adversary engagement options structured similarly to ATT&CK and linked to ATT&CK techniques. We look forward to seeing how it evolves and grows!

ALT Wonderwoman Shield GIF

3
102
201
We’re excited to announce that we're hosting ATT&CKcon on Oct. 23-24 @MITREcorp! Whether you’re using ATT&CK now or thinking about it for the future (or you just like ampersands), this is the con for you. Email us to get on the distro for announcements: ATTACKcon@mitre.org
6
94
209
You can detect more than just C2 & exfil with network logs. Check out BZAR, a collection of @Zeekurity analytics aimed at detecting ATT&CK techniques that leverage RPC & SMB: github.com/mitre-attack/car/…. Let us know if you want to contribute to BZAR or the Cyber Analytics Repository!
1
102
192
The updates to ATT&CK and @mitrepreattack are out, now with more Initial Access! Check out the update log attack.mitre.org/wiki/Update…
129
196
We've released the APT3 Adversary Emulation Plan based on ATT&CK. These plans help describe a threat group's behavior for the purposes of testing security. Special thanks to @ckorban, Doug Miller, Adam Pennington, and @its_a_feature_ for their work attack.mitre.org/wiki/Advers…
113
186
We're excited to begin a short beta-test period for the new MITRE ATT&CK website - check it out at mitre-attack.github.io. We're also moving the ATT&CK blog over to @Medium and our first new blog describes the website beta release medium.com/mitre-attack/new-…
1
119
193
Announcing the ATT&CKcon Power Hour! Instead of a 2 day conference, starting Oct 9 we'll be running a series of 90 minute virtual events! The CFP will be opening shortly for your talks on the most practical, aspirational, and things to always avoid with ATT&CK.
1
60
189
You asked, we listened. Our sister project, Cyber Analytics Repository (CAR), was migrated to Github as we start to reinvigorate the project to make it easier to contribute. Check out @jwunder's blog post (medium.com/mitre-attack/cybe…) and the new site: car.mitre.org/
1
87
186
We're excited to see the launch of the Center for Threat-Informed Defense! Rest assured: the Center will help accelerate research around ATT&CK and defense, but ATT&CK will remain free and open to all. You can use and contribute to ATT&CK whether you're a Center member or not.
#Cybersecurity challenges transcend individual organizations, fields, and countries. The Center for Threat-Informed Defense is bringing the private sector together to improve cyber defenses for all. bit.ly/2qLSrUH
1
69
181
Individual ATT&CKcon 2.0 videos are now up on YouTube! piped.video/playlist?list=PL… We'll have a page up shortly linking to slides from the conference. Thank you again to all of our speakers for making this possible!
85
178
The next post in our "Getting Started with ATT&CK" blog series is now live. This week, @jwunder gives pointers on how you can write ATT&CK-based analytics, test them with purple teaming, and use ATT&CK to measure your progress. medium.com/mitre-attack/gett…
113
175
The ATT&CK website code is now open sourced! It generates static pages from STIX 2.0 data and can be used to build local copies with custom content using your own STIX bundles. Send PRs if you extend the site in a useful way and want to share! github.com/mitre-attack/atta…
3
84
171
We recently released v.2.2 of the Navigator. Check out all the new features, like the ability to load multiple layers by default and add your own customized metadata to layers, here - github.com/mitre/attack-navi…
2
90
173
Docker container to serve up the ATT&CK Navigator thanks to @DavidJBianco hub.docker.com/r/davidjbianc…
80
178
Now you can generate ATT&CK into a format many of you have asked for, Excel! Our new mitreattack-python pip library contains the Excel generator plus tools for working with ATT&CK Navigator layers. github.com/mitre-attack/mitr… pypi.org/project/mitreattack…

ALT word everyone GIF

1
55
161
Get ready, ATT&CK v9 is coming Thursday, April 29th! We've already shared our roadmap for April and October releases (medium.com/mitre-attack/att-…) but excited to now have a date.

ALT Kif Clear My Schedule GIF

4
74
161
Ready to fire on all cylinders across the whole adversary lifecycle? ATT&CK v8 is out! It has two new tactics, Reconnaissance and Resource Development, replacing the scope of PRE-ATT&CK. @_whatshisface and @snarejen have written a post about the changes: medium.com/mitre-attack/the-….

ALT top gear v8 GIF

3
71
147
If you're a fan of testing defenses against ATT&CK techniques, you may interested in this contribution to #opensource testing frameworks
Endgame launches open-source project to drive adoption of @MITREattack ; allow security teams to test defenses against most advanced attacker behaviors: ow.ly/luxY30j2vQw #redteam #opensource @_devonkerr_
88
164
Y'all realize that you don't need to reload all of ATT&CK from our TAXII server several times an hour? We only release twice a year. Love, Our AWS bill

ALT Team Fortress 2 Refresh GIF

3
27
151
We're excited to announce a new initiative to offer ATT&CK-based evaluations for #EDR products as a way to advance the market. The first-round CFP is open through April 13. Contact us at attackevals@mitre.org for more info or to request participation. mitre.org/news/press-release…
8
78
152
On October 21 (2021) v10 of ATT&CK will arrive! v10 will feature our new Data Sources objects (previewed at github.com/mitre-attack/atta…), along with updates to Techniques, Groups, and Software across all of our platforms.

ALT back to the future october 21st 2015 GIF

8
60
148
Continuing our series on ATT&CK misunderstandings, we'd like to discuss attribution... It may be tempting to attribute groups based on technique usage, but ATT&CK techniques only represent ONE aspect of a group & are generally too broad to produce reliable attribution alone.
4
46
145
49,508
We're gearing up to celebrate Windows XP's 21st birthday in style by releasing ATT&CK v12. Watch this space October 25th for the initial release of Campaigns, and updates across ATT&CK for Enterprise, ICS, and Mobile!
3
27
141
We’re getting a lot of questions on if videos of #ATTACKcon 2.0 talks will be posted. They will, in the not too distant future. We’ve also left the videos of our stream up. Day 1: piped.video/xiUvOGr7Zfg Day 2: piped.video/L3KxKAGSJp4 ATT&CKcon 2018: attack.mitre.org/resources/a…
92
148
Boo, it's an ATT&CK v14! 👻 Come grab full-sized treats from our blog post medium.com/mitre-attack/atta…, release notes attack.mitre.org/resources/u…, or our detailed change log attack.mitre.org/docs/change….
1
60
146
72,832
Looking to automate your ATT&CK Navigator workflow? We recently released fresh Python scripts implementing several Navigator functionalities, including export to Excel! Check it out at github.com/mitre-attack/atta….
3
58
139
We are getting very close to our next ATT&CK release and the retirement of PRE-ATT&CK in its current form. ATT&CK for Enterprise will be adding new tactics to take its place, as described by @_whatshisface at ATT&CKcon 2.0 (slideshare.net/attackcon2018…). Watch this space next Tuesday!

ALT Mandalorian Baby Yoda GIF

5
49
134
Big changes coming in this week's update to better align ATT&CK and @MITREpreattack. We're adding Initial Access to ATT&CK to cover how adversaries gain access to enterprise networks -- it's no longer strictly post-compromise. PRE-ATT&CK's Launch and Compromise will be deprecated
1
92
140
We're trying something new for our next adversary emulation plan on APT29. We invite the community to contribute #threatintel, and then we'll openly publish the plan along with ATT&CK Evaluations results. Check out our blog & send contributions by 3/15: medium.com/mitre-attack/open…
2
92
142
We're excited to see @HybridAnalysis mapping sandbox analysis to ATT&CK! This is a great way to give an understanding of malware behavior by using a common language.
[UPDATE] We took on the challenge and now map behavior indicators to the MITRE ATT&CK framework for industry standard visibility into techniques and tactics. Example: hybrid-analysis.com/sample/1…
77
140
Earlier this week, @CISACyber released updates to their Best Practices for MITRE ATT&CK Mapping guide focusing on avoiding common pitfalls, better representing ATT&CK in reports, and guidance specific to ATT&CK for ICS. Check it out at go.dhs.gov/Zar
1
70
126
27,136
Let's continue our ATT&CK misunderstandings series & discuss procedures. People sometimes assume ATT&CK is trying to cover every possible way a (sub-)technique can be done, but our procedures only cover what we've seen in public reporting tied to Groups, Software, or Campaigns.
6
62
130
63,394
For an overview of what ATT&CK is and how to get started using it, check out @likethecoins' presentation from @Sp4rkCon - "Putting MITRE ATT&CK into Action with What You Have, Where You Are." piped.video/bkfwMADar0M
2
47
137
We've been tracking reporting on the recent activity related to UNC2452/Solarigate with an eye to mapping it to ATT&CK and adding new techniques. We've posted and intend to keep up to date on the reports we're tracking but let us know what we're missing. medium.com/mitre-attack/iden….

ALT Spongebob Busy GIF

45
127
ATT&CK is stronger because of the community behind it. To help you understand what contributions and formats we're looking for, here's a short summary: attack.mitre.org/w/img_auth.…. Thank you to all of our awesome contributors - past, present, and future!
2
58
135
Videos and slides from ATT&CKcon 2.0 have been available since shortly after the conference, but we recently updated our website to make them much easier to find. Everything from ATT&CKcon 2018, and 2.0 can now be found at attack.mitre.org/resources/a…. #attackcon
97
132
We've just made a point release (v8.2) to ATT&CK adding UNC2452 along with several software entries and a few new/updated techniques related to the Solar Winds supply chain injection. We describe the changes in medium.com/mitre-attack/iden…. Thanks to everyone who has contributed!
3
67
130
The team has been working furiously on a few projects that will be dropping soon. We'll be releasing a major update, including a new Impact tactic (destructive techniques, anyone?). Plus, CALDERA will be releasing version 2.0. (who likes dark theme?) We can't wait to share!
6
37
132
Sub-techniques, a new tactic, a new approach to mitigations, a hint about ATT&CKcon 2019, and more. Check out @jwunder's post on where we've been in 2018 and where we're hoping to go in 2019. medium.com/mitre-attack/atta…
1
74
127
You can now tag Sigma rules with ATT&CK tactics, techniques, groups, or software. This is a great step toward expressing detection in a common language!
We extended Sigma with rule tagging: github.com/Neo23x0/sigma/wik… And defined some tags for ATT&CK classification of Sigma rules: github.com/Neo23x0/sigma/wik… Filtering of tags in the Sigma Converter will follow soon!
3
74
130
The slides from the CALDERA presentation at #BHEU have been posted blackhat.com/docs/eu-17/mate…
2
73
128
The final post in our "Getting Started with ATT&CK" blog series is out! This time @andyplayse4 guides you through using ATT&CK to assess your SOC and engineer new defenses. medium.com/mitre-attack/gett…
1
71
125
(T1822) Remote Container Discovery
1
20
112
We just released a blog post jointly written by ATT&CK for ICS Lead @ojalexander and @Mandiant. It explores a visualization drawing on both the ATT&CK for Enterprise and ICS knowledge bases to describe an adversary operating across both. Check it out at medium.com/mitre-attack/in-p….
2
53
117
Interested in the ATT&CK whitepaper but don't have time to read a 27 page PDF? Check out the blog post about it by @stromcoffee mitre.org/capabilities/cyber…
65
127
Kudos to @NCSC, @NSAGov, @CISAgov, and @FBI for some best-practices use of ATT&CK in reporting on recent intrusion activity by attack.mitre.org/groups/G001….
We released a joint advisory with @NCSC, @NSAgov & @FBI on recommended detection and mitigation of SVR activity following the attribution of the SolarWinds compromise. We recommend all stakeholders check their networks for indicators of compromise: go.usa.gov/xHwAj
3
35
123
Looking to up your game on using ATT&CK for #CTI? @likethecoins and @_whatshisface recently recorded the ATT&CK for CTI training that they created and taught to multiple audiences over the past year. Exercises and links to the videos are now up at attack.mitre.org/training/ct….
3
71
121
With any big change to ATT&CK, we want the community's feedback to make sure we're on the right track. @stromcoffee wrote up our plans for sub-techniques and what the changes might entail medium.com/mitre-attack/atta…. Love it? Hate it? Let us know!
5
51
115
Looking for some free ATT&CK training? Last week, @MITREengenuity launched the MITRE ATT&CK Defender program with training created by members of the ATT&CK team. Check out ATT&CK Fundamentals, ATT&CK SOC Assessments, and ATT&CK for CTI via @cybraryIT at cybrary.it/info/mitre-attack…!

ALT Time To Learn! GIF

44
117
Curious about how ATT&CK maps to sensor logs? Our Defensive lead @LexOnTheHunt led a @MITREengenuity team to map ATT&CK data sources & data components to events in: 🪵 Auditd 🪵CloudTrail 🪵OSQuery 🪵Sysmon 🪵WinEvtx 🪵ZEEK Check it out at center-for-threat-informed-d…!
3
50
118
15,040
Interested in seeing CALDERA in action? We just posted a demo video: piped.video/xjDrWStR68E
3
63
121
Our next Getting Started with ATT&CK blog post is out, and this one was a team effort by @stromcoffee, @teschulz, and @likethecoins. Check out their advice on using ATT&CK for Adversary Emulation & Red Teaming and improving your defenses. medium.com/mitre-attack/gett…
1
61
120
As a part of ATT&CK v8, we also released ATT&CK for ICS in STIX (github.com/mitre/cti/tree/ma…), and a new version of the ATT&CK Navigator where you can pick your domain (including ICS) and version of ATT&CK (mitre-attack.github.io/attac…)! TAXII support for ICS is coming soon.

ALT Simpsons Nuclear GIF

2
44
111
We're releasing ATT&CK on the perfect date! Put on your light jacket and jump into structured detections, subs for mobile beta, and ICS on our main site. Changelog is up at attack.mitre.org/resources/u… and @_whatshisface & @JasonAjmo describe what's new in medium.com/mitre-attack/atta….

ALT William Shatner Shatner GIF

4
60
112
We've now crossed a number of items off our 2022 todo list with the release of ATT&CK v11 earlier this week! If you haven't checked it out yet, take a look at what's new at medium.com/mitre-attack/atta… and what else is coming this year in our 2022 roadmap medium.com/mitre-attack/atta….
1
31
110
Coinciding with @jamieantisocial's and his #ThreatHuntingSummit talk, we've just released part 1 of a blog series by ATT&CK team member @Cyb3rPandaH on a proposed method of enhancing an often overlooked part of ATT&CK, data sources. Check it out at medium.com/mitre-attack/defi….

ALT Data Fistpump - Fistpump GIF

3
66
108
(T1857) Exfiltration Over Air-Gap
1
15
106
Sub-techniques aren’t there yet, but we’re getting close! @stromcoffee wrote an update blog post about how sub-techniques are coming along that previews two tactics, Credential Access and Lateral Movement, and responds to much of your great feedback! medium.com/mitre-attack/sub-…
1
49
114
We're completely full in-person for #ATTACKcon 2.0 but we are once again going to be streaming the entire conference live (as well as some online-only exclusives) for free! Sign up at mitre.org/attackcon-streamed… to join us virtually.
4
51
114
Power up your layers with the release of ATT&CK Navigator v4.4! We've added a new workflow for upgrading a nav layer that lets you see and respond to changed techniques, and combined search and multi-select into a more powerful UI. Check out new version at mitre-attack.github.io/attac…

ALT Super Mario Dog GIF

8
39
110
We hear you that doing the MITRE is hard! Today we're launching a MITRE training bootcamp to help you all get your & on. First up: Achieve 100% coverage! Head on over to attack.mitre.org/full-covera… and play for that 100% MITRE coverage everyone's been bragging about!
2
34
113
22,442
Wow, 40k followers! Thanks to everyone in the community who have helped us get ATT&CK to where it is today. We're humbled by these last five years, and look forward to working with many more of you in the future!
7
11
107
ATT&CK Evaluations just released their 2020 Carbanak & FIN7 Evaluation results and emulation plan, as well as major updates to results format on attackevals.mitre-engenuity.…. Check out medium.com/mitre-engenuity/a… to learn more about everything that is now available.

ALT Cat Cute GIF

3
50
112
We’ve released an update to the ATT&CK Evaluations site (attackevals.mitre.org/), including additional Round 2 info, a Technique Comparison Tool for cross-vendor analysis, and @PaloAltoNtwks’s Round 1 results. Check out @FrankDuff's post for highlights: medium.com/mitre-attack/atta…
58
112
We are thrilled to announce our keynote speaker for ATT&CKcon 3.0, Selena Larson (@selenalarson)! We will be opening free virtual registration for ATT&CKcon 3.0 next week, and you can check out the rest of our great list of speakers at mitre.org/attackcon.
2
22
104