Contribute

You can help contribute to ATT&CK.

ATT&CK is in a constant state of development. We are always on the lookout for new information to help refine and extend what is covered. If you have additional techniques, know about variations on one already covered, have examples of techniques in use, or have other relevant information, then we would like to hear from you.

We are looking for contributions in the following areas in particular, but if you have other information you think may be useful, please reach us at attack@mitre.org.

All contributions and feedback to ATT&CK are appreciated. Due to the high volume of contributions, it may take us about a week to get back to you. We may ask you follow-up questions to help us understand your contribution and gather additional information. We recommend you read our philosophy paper to understand our approach to maintaining ATT&CK so that we get the right details up front. If we find the contribution fills a gap, then we will make edits and send you a draft version of the technique or Group/Software page for your review prior to it being published, listing you as a contributor if desired. Content updates happen roughly every 6 months.

Contributing to ATT&CK

Sub-Techniques and Techniques

We appreciate your help to let us know about what new techniques and technique variations adversaries are using in the wild. You can start by emailing us the technique name, a brief description, and references or knowledge about how it is being used by adversaries. We suggest you take a close look at what we already have on our site, paying attention to the level of abstraction of techniques and sub-techniques. Since we are working on adding new technique details constantly, we will deconflict what you send with what we’re working on. We’ll provide feedback and work with you to get the content added.

macOS, Linux, cloud, and ICS

While we also cover the Windows and mobile platforms, we are particularly interested in new macOS, Linux, cloud, and ICS techniques since there is a lack of publicly available threat intel for techniques used against those platforms. This leads to gaps in the knowledge base that you can help fill.

Threat Intelligence

We map Group and Software examples on our site, and there is too much open source threat intelligence reporting for us to keep up on everything. We appreciate your help with referenced information about how Groups and Software samples use ATT&CK techniques. Threat intelligence contributions are most helpful to us when they are in the specific format we have on our website, including citing techniques and group names or associated groups to publicly-available references. We ask that you provide the sub-technique or technique name, a brief description of how the technique is implemented, and the publicly-available reference.

Data Sources

We often don’t have direct access to endpoint or network log data for technique use in incidents. We’re always looking for partners who would be interested in sharing relevant data from logs that show how adversaries are using ATT&CK techniques beyond what appears in threat reporting.

Your Use Cases

It’s always helpful for us to hear about how you’re using ATT&CK in your organization. We appreciate any information you can share with us about your specific use case or application of ATT&CK, and particularly any success stories you’ve had as a result.

Contribution Examples

New Technique Example
(Sub-)Technique Name:

COM, ROM, & BE GONE

Tactic:

Persistence

Platform:

Windows

Required Permissions:

User

Sub-techniques: This is a sub-technique of T1XXX, or this would have T1XXX as a sub-technique

Data Sources: Windows API, Process monitoring, or other sources that can be used to detect this activity

Description: Component Object Model (COM) servers associated with Graphics Interchange Format (JIF) image viewers can be abused to corrupt arbitrary memory banks. Adversaries may leverage this opportunity to modify, mux, and maliciously annoy (MMA) read-only memory (ROM) regularly accessed during normal system operations.

Detection: Monitor the JIF viewers for muxing and malicious annoyance. Use event ID 423420 and 234222 to detect changes.

Mitigation: Configure the Registry key HKLM\SYSTEM\ControlSet\001\Control\WindowsJIFControl\ to 0 to disable MMA access if not needed within the environment.

Adversary Use: Here is a publicly-available reference about FUZZYSNUGGLYDUCK using this technique: (www[.]awesomeThreatReports[.]org/FUZZYSNUGGLYDUCK_NOMS _ON_ROM_VIA_COM). Additionally, our red team uses this in our operations.

Additional References: Here is a reference from the researcher who discovered this technique: (www[.]crazySmartResearcher[.]net/POC_DETECTIONS_&_MITIGATIONS_4_WHEN_COM_RAMS_ROM)

Group & Software Example

Group Name: FUZZYSNUGGLYDUCK (www[.]sourceX[.]com)

Associated Groups: APT1337 (www[.]sourceY[.]com)

Description: FUZZYSNUGGLYDUCK is a Great Lakes-based threat group that has been active since at least May 2018. The group focuses on targeting the aviation sector. (www[.]sourceY[.]com)

Techniques:
  • Phishing: Spearphishing Attachment (T1566.001) – FUZZYSNUGGLYDUCK has used spearphishing email attachments containing images of stale bread to deliver malware. (www[.]sourceX[.]com)
  • File and Directory Discovery (T1083) – FUZZYSNUGGLYDUCK has searched files and directories for the string *quack*. (www[.]sourceY[.]com)

Software Name: FLYINGV (www[.]sourceX[.]com) (wwwVsourceZ[.]com)

Group Association: FLYINGV has been used by FUZZYSNUGGLYDUCK. (www[.]sourceZ[.]com)

Description: FLYINGV is custom malware used by FUZZYSNUGGLYDUCK as a second-stage RAT. (www[.]sourceZ[.]com)

Platform: Windows

Techniques:
  • Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001) – FLYINGV has added the Registry Run key “HueyDeweyLouie” to establish persistence. (www[.]sourceX[.]com)
  • File and Directory Discovery (T1083) – FLYINGV has used rundll32.exe to load its malicious dll file, estevez.dll. (www[.]sourceX[.]com)

Content Errors on the Website

If you find errors or typos on the site related to content, please let us know by sending an email to attack@mitre.org with the subject Website Content Error.

Please let us know the following:

  1. The url where you found the error.
  2. A short description of the error.

Examples of errors:

  • Typos and syntax errors
  • Improperly formatted web pages
  • 404 errors when links are clicked

Contributors

The following individuals or organizations have contributed information regarding the existence of a technique, details on how to detect and/or mitigate use of a technique, or threat intelligence on adversary use:

  • @ionstorm
  • Aagam Shah, @neutrinoguy, ABB
  • Abel Morales, Exabeam
  • Abhijit Mohanta, @abhijit_mohanta, Uptycs
  • Achute Sharma, Keysight
  • Akshat Pradhan, Qualys
  • Alain Homewood, Insomnia Security
  • Alan Neville, @abnev
  • Alex Hinchliffe, Palo Alto Networks
  • Alex Parsons, Crowdstrike
  • Alex Soler, AttackIQ
  • Alex Spivakovsky, Pentera
  • Alexandros Pappas
  • Alfredo Abarca
  • Alfredo Oliveira, Trend Micro
  • Allen DeRyke, ICE
  • Anastasios Pingios
  • Andrew Allen, @whitehat_zero
  • Andrew Northern, @ex_raritas
  • Andrew Smith, @jakx_
  • Antonio Piazza, @antman1p
  • Antonio Villani, @LDO_CyberSec, Leonardo's Cyber Security Division
  • AppOmni
  • Arie Olshtein, Check Point
  • Ariel Shuper, Cisco
  • Arnim Rupp, Deutsche Lufthansa AG
  • Assaf Morag, @MoragAssaf, Team Nautilus Aqua Security
  • Atul Nair, Qualys
  • Austin Clark, @c2defense
  • Aviran Hazum, Check Point
  • Avneet Singh
  • Awake Security
  • Ayan Saha, Keysight
  • Barry Shteiman, Exabeam
  • Bart Parys
  • Bartosz Jerzman
  • Bencherchali Nasreddine, @nas_bench, ELIT Security Team (DSSD)
  • Bernaldo Penas Antelo
  • Blake Strom, Microsoft 365 Defender
  • Bobby, Filar, Elastic
  • Boominathan Sundaram
  • Brad Geesaman, @bradgeesaman
  • Brandon Dalton @PartyD0lphin
  • Brent Murphy, Elastic
  • Brian Wiltse @evalstrings
  • Bryan Campbell, @bry_campbell
  • Bryan Lee
  • Carlos Borges, @huntingneo, CIP
  • Carrie Roberts, @OrOneEqualsOne
  • Casey Smith
  • Catherine Williams, BT Security
  • Center for Threat-Informed Defense (CTID)
  • Chen Erlich, @chen_erlich, enSilo
  • Chris Heald
  • Chris Roffe
  • Chris Romano, Crowdstrike
  • Chris Ross @xorrior
  • Christiaan Beek, @ChristiaanBeek
  • Christoffer Strömblad
  • Christopher Glyer, Mandiant, @cglyer
  • Cian Heasley
  • Cisco
  • Clément Notin, Tenable
  • Cody Thomas, SpecterOps
  • Conrad Layne - GE Digital
  • Craig Aitchison
  • Craig Smith, BT Security
  • CrowdStrike
  • CrowdStrike Falcon OverWatch
  • Csaba Fitzl @theevilbit of Offensive Security
  • Cybereason Nocturnus, @nocturnus
  • Daisuke Suzuki
  • Dan Borges, @1njection
  • Dan Nutting, @KerberToast
  • Daniel Acevedo, Blackbot
  • Daniel Feichter, @VirtualAllocEx, Infosec Tirol
  • Daniel Oakley
  • Daniel Prizmant, Palo Alto Networks
  • Daniel Stepanic, Elastic
  • Daniil Yugoslavskiy, @yugoslavskiy, Atomic Threat Coverage project
  • Daniyal Naeem, BT Security
  • Darin Smith, Cisco
  • Darren Spruell
  • Dave Westgard
  • David Ferguson, CyberSponse
  • David Fiser, @anu4is, Trend Micro
  • David French, Elastic
  • David Hughes, BT Security
  • David Lu, Tripwire
  • David Routin
  • David Tayouri
  • Deloitte Threat Library Team
  • Diogo Fernandes
  • Dongwook Kim, KISA
  • Dor Edry, Microsoft
  • Doron Karmi, @DoronKarmi
  • Dragos Threat Intelligence
  • Dragos Threat Intelligence
  • Dray Agha, @Purp1eW0lf, Huntress Labs
  • Drew Church, Splunk
  • Dror Alon, Palo Alto Networks
  • Ed Williams, Trustwave, SpiderLabs
  • Edward Millington
  • Elastic
  • Elger Vinicius S. Rodrigues, @elgervinicius, CYBINT Centre
  • Eli Salem, @elisalem9
  • Elia Florio, Microsoft
  • Elly Searle, CrowdStrike — contributed to tactic definitions
  • Elvis Veliz, Citi
  • Emile Kenning, Sophos
  • Emily Ratliff, IBM
  • ENDGAME
  • Eran Ayalon, Cybereason
  • Eric Kaiser @ideologysec
  • Eric Kuehn, Secure Ideas
  • Erik Schamper, @Schamperr, Fox-IT
  • Erika Noerenberg, @gutterchurl, Carbon Black
  • Erye Hernandez, Palo Alto Networks
  • ESET
  • Expel
  • ExtraHop
  • Felipe Espósito, @Pr0teus
  • Filip Kafka, ESET
  • FIRST.ORG's Cyber Threat Intelligence SIG
  • Flavio Costa, Cisco
  • Francesco Bigarella
  • FS-ISAC
  • Gaetan van Diemen, ThreatFabric
  • Gal Singer, @galsinger29, Team Nautilus Aqua Security
  • Gareth Phillips, Seek Ltd.
  • George Allen, VMware Carbon Black
  • Goldstein Menachem
  • Gordon Long, Box, Inc., @ethicalhax
  • Hannah Simes, BT Security
  • Hans Christoffer Gaardløs
  • Harry Hill, BT Security
  • Harry Kim, CODEMIZE
  • Harry, CODEMIZE
  • Harshal Tupsamudre, Qualys
  • Heather Linn
  • Hiroki Nagahama, NEC Corporation
  • Ian Davila, Tidal Cyber
  • Ian McKay
  • Ibrahim Ali Khan
  • ICSCoE Japan
  • Idan Frimark, Cisco
  • Idan Revivo, @idanr86, Team Nautilus Aqua Security
  • Ilan Sokol, Cybereason
  • Isif Ibrahima, Mandiant
  • Itamar Mizrahi, Cymptom
  • Itzik Kotler, SafeBreach
  • Ivan Sinyakov
  • Jacob Wilkin, Trustwave, SpiderLabs
  • Jacques Pluviose, @Jacqueswildy_IT
  • James Dunn, @jamdunnDFW, EY
  • James_inthe_box, Me
  • Jan Miller, CrowdStrike
  • Jan Petrov, Citi
  • Janantha Marasinghe
  • Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
  • Jared Atkinson, @jaredcatkinson
  • Jaron Bradley @jbradley89
  • Jay Chen, Palo Alto Networks
  • Jean-Ian Boutin, ESET
  • Jeff Felling, Red Canary
  • Jeff Sakowicz, Microsoft Identity Developer Platform Services (IDPM Services)
  • Jen Burns, HubSpot
  • Jeremy Galloway
  • Jesse Brown, Red Canary
  • Jimmy Astle, @AstleJimmy, Carbon Black
  • Joas Antonio dos Santos, @C0d3Cr4zy, Inmetrics
  • Joas Antonio dos Santos, @Cr4zyC0d3
  • Joe Gervais
  • Joe Slowik - Dragos
  • Joe Slowik - Dragos
  • Johann Rehberger
  • John Lambert, Microsoft Threat Intelligence Center
  • John Page (aka hyp3rlinx), ApparitionSec
  • John Strand
  • Jon Sheedy
  • Jon Sternstein, Stern Security
  • Jonathan Boucher, @crash_wave, Bank of Canada
  • Jonathan Shimonovich, Check Point
  • Jonhnathan Ribeiro, 3CORESec, @_w0rk3r
  • Jorell Magtibay, National Australia Bank Limited
  • Jorge Orchilles, SCYTHE
  • Jos Wetzels - Midnight Blue
  • Jose Luis Sánchez Martinez
  • Josh Abraham
  • Josh Campbell, Cyborg Security, @cyb0rgsecur1ty
  • Josh Day, Gigamon
  • Josh Liburdi, @jshlbrd
  • João Paulo de A. Filho, @Hug1nN__
  • Justin Warner, ICEBRG
  • Jörg Abraham, EclecticIQ
  • Karim Hasanen, @_karimhasanen
  • Kaspersky
  • Katie & Tony Lambert
  • Katie Nickels, Red Canary
  • Kiyohito Yamamoto, RedLark, NTT Communications
  • Kobi Eisenkraft, Check Point
  • Kobi Haimovich, CardinalOps
  • Krishnan Subramanian, @krish203
  • Kyaw Pyiyt Htet, @KyawPyiytHtet
  • Kyoung-ju Kwak (S2W)
  • Lab52 by S2 Grupo
  • Lacework Labs
  • Lee Christensen, SpecterOps
  • Leo Loobeek, @leoloobeek
  • Leo Zhang, Trend Micro
  • Lior Ribak, SentinelOne
  • Liran Ravich, CardinalOps
  • Loic Jaquemet
  • Lorin Wu, Trend Micro
  • Lucas da Silva Pereira, @vulcanunsec, CIP
  • Lucas Heiligenstein
  • Lukáš Štefanko, ESET
  • Maarten van Dantzig, @MaartenVDantzig, Fox-IT
  • Magno Logan, @magnologan, Trend Micro
  • Manikantan Srinivasan, NEC Corporation India
  • Marc-Etienne M.Léveillé, ESET
  • Maril Vernon @shewhohacks
  • Marina Krotofil
  • Mark Wee
  • Martin Jirkal, ESET
  • Martin Smolár, ESET
  • Martin Sohn Christensen, Improsec
  • Massimiliano Romano, BT Security
  • Matan Dobrushin - Otorio
  • Mathieu Tartare, ESET
  • Matias Nicolas Porolli, ESET
  • Matt Brenton, Zurich Global Information Security
  • Matt Brenton, Zurich Insurance Group
  • Matt Burrough, @mattburrough, Microsoft
  • Matt Graeber, @mattifestation, SpecterOps
  • Matt Kelly, @breakersall
  • Matt Snyder, VMware
  • Matthew Demaske, Adaptforward
  • Matthew Green
  • Matthew Molyett, @s1air, Cisco Talos
  • Matthieu Faou, ESET
  • Mayan Arora aka Mayan Mohan
  • Mayuresh Dani, Qualys
  • McAfee
  • Menachem Goldstein
  • Menachem Shafran, XM Cyber
  • Michael Cox
  • Michael Katchinskiy, @michael64194968, Team Nautilus Aqua Security
  • Michael Raggi @aRtAGGI
  • Michal Dida, ESET
  • Microsoft Detection and Response Team (DART)
  • Microsoft Security
  • Microsoft Threat Intelligence Center (MSTIC)
  • Mike Burns, Mandiant
  • Mike Kemmerer
  • Mike Moran
  • Milos Stojadinovic
  • Mindaugas Gudzis, BT Security
  • Miriam Wiesner, @miriamxyra, Microsoft Security
  • Mnemonic
  • Mnemonic AS
  • Mohamed Kmal
  • Mugdha Peter Bansode
  • Nathaniel Quist, Palo Alto Networks
  • Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
  • NEC
  • Netskope
  • Nick Cairns, @grotezinfosec
  • Nick Carr, Mandiant
  • Nik Seetharaman, Palantir
  • Nino Verde, @LDO_CyberSec, Leonardo's Cyber Security Division
  • Nishan Maharjan, @loki248
  • NST Assure Research Team, NetSentries Technologies
  • Oddvar Moe, @oddvarmoe
  • Ofir Almkias, Cybereason
  • Ohad Mana, Check Point
  • Oleg Kolesnikov, Securonix
  • Oleg Skulkin, Group-IB
  • Oleksiy Gayda
  • Omkar Gudhate
  • Or Kliger, Palo Alto Networks
  • Oren Ofer, Cybereason
  • Ozer Sarilar, @ozersarilar, STM
  • Patrick Campbell, @pjcampbe11
  • Patrick Sungbahadoor
  • Paul Speulstra, AECOM Global Security Operations Center
  • Pawan Kinger, @kingerpawan, Trend Micro
  • Pawel Partyka, Microsoft 365 Defender
  • Pedro Harrison
  • Phil Stokes, SentinelOne
  • Philip Winther
  • Phill Taylor, BT Security
  • Pià Consigny, Tenable
  • Pooja Natarajan, NEC Corporation India
  • Praetorian
  • Prasad Somasamudram, McAfee
  • Prasanth Sadanala, Cigna Information Protection (CIP) - Threat Response Engineering Team
  • Prashant Verma, Paladion
  • Rahmat Nurfauzi, @infosecn1nja, PT Xynexis International
  • Ram Pliskin, Microsoft Azure Security Center
  • Raphaël Lheureux
  • Red Canary
  • RedHuntLabs, @redhuntlabs
  • Regina Elwell
  • Rex Guo, @Xiaofei_REX, Confluera
  • Ricardo Dias
  • Richard Gold, Digital Shadows
  • Richard Julian, Citi
  • Richie Cyrus, SpecterOps
  • Rick Cole, Mandiant
  • Rob Smith
  • Robby Winchester, @robwinchester3
  • Robert Falcone
  • Robert Simmons, @MalwareUtkonos
  • Robert Wilson
  • Rodrigo Garcia, Red Canary
  • Roi Kol, @roykol1, Team Nautilus Aqua Security
  • Romain Dumont, ESET
  • Rory McCune, Aqua Security
  • Ruben Dodge, @shotgunner101
  • Runa Sandvik
  • Ryan Becwar
  • Ryan Benson, Exabeam
  • Ryo Tamura, SecureBrain Corporation
  • Sahar Shukrun
  • Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC)
  • Sarathkumar Rajendran, Microsoft Defender365
  • SarathKumar Rajendran, Trimble Inc
  • Scott Dougherty
  • Scott Knight, @sdotknight, VMware Carbon Black
  • Scott Lundgren, @5twenty9, Carbon Black
  • Sebastian Salla, McAfee
  • Sebastian Showell-Westrip, BT Security
  • Sekhar Sarukkai, McAfee
  • Selena Larson, @selenalarson
  • Sergey Persikov, Check Point
  • Shailesh Tiwary (Indian Army)
  • Shane Tully, @securitygypsy
  • Shanief Webb
  • Shilpesh Trivedi, Uptycs
  • Shlomi Salem, SentinelOne
  • Shotaro Hamamoto, NEC Solution Innovators, Ltd
  • Shuhei Sasada, Cyber Defense Institute, Inc
  • Silvio La Porta, @LDO_CyberSec, Leonardo's Cyber Security Division
  • Sittikorn Sangrattanapitak
  • SOCCRATES
  • Stan Hegt, Outflank
  • Stefan Kanthak
  • Steven Du, Trend Micro
  • Sudhanshu Chauhan, @Sudhanshu_C
  • Sunny Neo
  • Suzy Schapperle - Microsoft Azure Red Team
  • Swapnil Kumbhar
  • Swasti Bhushan Deb, IBM India Pvt. Ltd.
  • Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)
  • Syed Ummar Farooqh, McAfee
  • Sylvain Gil, Exabeam
  • Sébastien Ruel, CGI
  • Taewoo Lee, KISA
  • Takuma Matsumoto, LAC Co., Ltd
  • Tatsuya Daitoku, Cyber Defense Institute, Inc.
  • Ted Samuels, Rapid7
  • Teodor Cimpoesu
  • The DFIR Report, @TheDFIRReport
  • The Wover, @TheRealWover
  • Thijn Bukkems, Amazon
  • Thirumalai Natarajan, Mandiant
  • Tiago Faria, 3CORESec
  • Tim (Wadhwa-)Brown
  • Tim MalcomVetter
  • Toby Kohlenberg
  • Tom Ueltschi @c_APT_ure
  • Tony Lambert, Red Canary
  • Tony Lee
  • Travis Smith, Qualys
  • Travis Smith, Tripwire
  • Trend Micro Incorporated
  • Tristan Bennett, Seamless Intelligence
  • TruKno
  • Tsubasa Matsuda, NEC Corporation
  • Uriel Kosayev
  • Vadim Khrykov
  • Valerii Marchuk, Cybersecurity Help s.r.o.
  • Varonis Threat Labs
  • Veeral Patel
  • Vijay Lalwani
  • Vikas Singh, Sophos
  • Vinay Pidathala
  • Vinayak Wadhwa, Lucideus
  • Vinayak Wadhwa, SAFE Security
  • Vincent Le Toux
  • Viren Chaudhari, Qualys
  • Vishwas Manral, McAfee
  • Walker Johnson
  • Wayne Silva, F-Secure Countercept
  • Wes Hurd
  • Wietze Beukema, @wietze
  • Will Jolliffe
  • Will Thomas, Cyjax
  • Will Thomas, Equinix Threat Analysis Center (ETAC)
  • William Cain
  • Wojciech Lesicki
  • Yaniv Agman, @AgmanYaniv, Team Nautilus Aqua Security
  • Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
  • Yonatan Gotlib, Deep Instinct
  • Yoshihiro Kori, NEC Corporation
  • Yossi Nisani, Cymptom
  • Yossi Weizman, Azure Defender Research Team
  • Yusuke Kubo, RedLark, NTT Communications
  • Yusuke Niwa, ITOCHU Corporation
  • Yuval Avrahami, Palo Alto Networks
  • Zachary Abzug, @ZackDoesML
  • Zachary Stanford, @svch0st
  • Zaw Min Htun, @Z3TAE
  • Ziv Karliner, @ziv_kr, Team Nautilus Aqua Security
  • Ziv Kaspersky, Cymptom
  • Zur Ulianitzky, XM Cyber

Thanks to those who have contributed to ATT&CK!