ATT&CK is in a constant state of development and is based on behavior that has been observed in real-world
malicious intrusions/attacks ("in the wild"). We do not add hypothetical techniques, lab-only proofs of
concept, or behaviors that have only been used in red team exercises without evidence of use by real adversaries.
If you have information about adversary behavior that is not yet represented in ATT&CK, we would like to hear from you!
We're especially looking for contributions in the areas below. Please note that we are not able to add every suggested
technique, sub-technique, Group, Campaign, or piece of Software to ATT&CK. We prioritize contributions that improve
coverage of commonly used adversary behaviors and that are supported by clear, public references. If you have other
information you think may be useful, please ask us a question below.
Due to the high volume of contributions, we may not be able to respond to every submission individually,
and we cannot guarantee that a contribution will be added to ATT&CK. We recommend you read our
philosophy paper
to understand our approach to maintaining ATT&CK so that we get the right details up front.
Content updates happen roughly every 6 months.
Before sending a contribution, please search ATT&CK for existing techniques, sub-techniques, Groups, or Software that
may already describe your example. In your message, let us know which ATT&CK entries you checked and why you think your
information is new or different. Many contributions are used to strengthen existing entries rather than create new ones.
If your example is already covered by an existing technique or does not meet the criteria above,
we will not create a new technique or sub-technique for it.
Let us know what new variations of behaviors real adversaries are using in the wild.
ATT&CK only adds techniques and sub-techniques that have been observed in real operations.
Please include:
a brief description of the behavior
references or other evidence showing where real adversaries used it
which existing ATT&CK technique(s) or sub-technique(s) it is closest to
a short explanation of how this behavior is different from what ATT&CK already describes
If a suggested behavior is hypothetical, only seen in a lab, or already covered by an existing technique,
we will not add it to ATT&CK.
To understand the process of how the MITRE team develops techniques, refer to the video below.
Threat Intelligence
We map selected Group and Software examples on our site and appreciate referenced information about how
Groups and Software use ATT&CK techniques. Please be aware that we cannot add every Group, campaign, or
piece of Software that is reported publicly. We prioritize items that have clear, publicly available reporting
and broad relevance to the community.
Please share:
the technique or sub-technique ID and name
the Group or Software name
a brief description of how the technique is implemented
at least one publicly available reference
We may use your contribution to improve existing entries or, when appropriate, to help justify adding a
new Group or Software entry.
Website Content Errors
If you find errors or typos on the site related to content, please let us know by submitting the URL where
you found the error and a short description. Examples include typos and syntax errors, improperly formatted
web pages, and 404 errors when links are clicked.
New Technique or Sub-Technique Example
ATT&CK Domain: Enterprise
Platform: Windows
Closest existing technique(s):
T1XXX – Example Technique Name
Proposed behavior summary:
Component Object Model (COM) servers associated with Graphics Interchange Format (JIF)
image viewers can be abused to corrupt arbitrary memory banks when a specially crafted
image is opened. Adversaries may use this to modify read-only memory (ROM) that is
regularly accessed during normal system operations.
Where this was observed (real-world use):
FUZZYSNUGGLYDUCK used this behavior during operations against aviation-sector targets.
The behavior is described in a publicly available report:
(www[.]awesomeThreatReports[.]org/FUZZYSNUGGLYDUCK_NOMS_ON_ROM_VIA_COM).
How this differs from existing ATT&CK content:
Existing ATT&CK techniques for persistence and privilege escalation via COM focus
on abusing COM registration and hijacking existing COM objects. In this case, the
adversary abuses a specific JIF viewer COM server to modify underlying ROM accessed by
the operating system, which is not covered by the current sub-techniques under T1XXX.
Additional technical details (optional):
The adversary loads a malformed JIF image that triggers a buffer overflow in the JIF
viewer COM server, enabling arbitrary writes to ROM. This behavior has been reproduced
using the proof-of-concept code published at:
(www[.]crazySmartResearcher[.]net/POC_DETECTIONS_&_MITIGATIONS_4_WHEN_COM_RAMS_ROM).
Detection and mitigation ideas (optional):
Monitor processes hosting the JIF viewer COM server for abnormal memory access patterns
and crashes when opening image files. Consider restricting or updating vulnerable JIF
viewers if they are not required in the environment.
Group & Software Examples
Group name: FUZZYSNUGGLYDUCK
Associated Groups:
APT1337: (www[.]sourceY[.]com)
Public references:
(www[.]sourceX[.]com/report1),
(www[.]sourceY[.]com/report2)
Short description:
FUZZYSNUGGLYDUCK is a Great Lakes-based threat group active since at least May 2018,
focusing on the aviation sector. The reports above describe several intrusions and
map activity to specific ATT&CK techniques.
Example technique mappings for FUZZYSNUGGLYDUCK:
T1566.001 – Phishing: Spearphishing Attachment – FUZZYSNUGGLYDUCK has used
spearphishing email attachments containing images of stale bread to deliver
malware. (www[.]sourceX[.]com/report1)
T1083 – File and Directory Discovery – FUZZYSNUGGLYDUCK has searched files and
directories for the string *quack*. (www[.]sourceY[.]com/report2)
Software name: FLYINGV
Public references:
(www[.]sourceX[.]com/report1),
(www[.]sourceY[.]com/report3)
Group association:
FLYINGV has been used by FUZZYSNUGGLYDUCK in multiple campaigns. (www[.]sourceZ[.]com/report3)
Short description:
FLYINGV is custom malware used by FUZZYSNUGGLYDUCK as a second-stage RAT.
(www[.]sourceZ[.]com/report3)
Platform:
Windows
Example technique mappings for FLYINGV:
T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder –
FLYINGV has added the Registry Run key “HueyDeweyLouie” to establish persistence.
(www[.]sourceX[.]com/report1)
T1083 – File and Directory Discovery – FLYINGV has used rundll32.exe
to load its malicious DLL file, estevez.dll, and then enumerate files.
(www[.]sourceX[.]com/report1)
Website Content Error
URL of error: attack.mitre.org/resources/contribute
Description of error: link to the philosophy paper is broken
Contributors
The following individuals or organizations have contributed information
regarding the existence of a technique, details on how to detect and/or mitigate
use of a technique, or threat intelligence on adversary use:
@_montysecurity
@grahamhelton3
@ionstorm
Aagam Shah, @neutrinoguy, ABB
Aaron Jornet
Aaron Sullivan aka ZerkerEOD
Abel Morales, Exabeam
Abhijit Mohanta, @abhijit_mohanta, Uptycs
Achute Sharma, Keysight
Adam Hunt
Adam Lichters
Adam Mashinchi
Adrien Bataille
Ai Kimura, NEC Corporation
Akiko To, NEC Corporation
Akshat Pradhan, Qualys
Alain Homewood
Alain Homewood, Insomnia Security
Alan Neville, @abnev
Alden Schmidt
Ale Houspanossian
Alex Hinchliffe, Palo Alto Networks
Alex Parsons, Crowdstrike
Alex Soler, AttackIQ
Alex Spivakovsky, Pentera
Alexandros Pappas
Alexey Kleymenov
Alfredo Abarca
Alfredo Oliveira, Trend Micro
Allen DeRyke, ICE
Alon Klayman, Hunters Security
Ami Holeston, CrowdStrike
Amir Gharib, Microsoft Threat Intelligence
Amir Hossein Vafifar
Amnon Kushnir, Sygnia
Anastasios Pingios
Anders Vejlby
Andrea Serrano Urea, Telefónica Tech
Andrew Allen, @whitehat_zero
Andrew Northern, @ex_raritas
Andrew Smith, @jakx_
Antonio Piazza, @antman1p
Antonio Villani, @LDO_CyberSec, Leonardo's Cyber Security Division
AppOmni
Arad Inbar, Fidelis Security
Arie Olshtein, Check Point
Ariel Shuper, Cisco
Arnim Rupp, Deutsche Lufthansa AG
Arun Seelagan, CISA
Asritha Narina
Assaf Morag, @MoragAssaf, Team Nautilus Aqua Security
Atul Nair, Qualys
Aung Kyaw Min Naing, @Nolan
Austin Clark, @c2defense
Austin Herrin
Austin Larsen and the Google Threat Intelligence Group
Avioo360
Aviran Hazum, Check Point
Avneet Singh
Awake Security
Ayan Saha, Keysight
Barbara Louis-Sidney (OWN-CERT)
Barry Shteiman, Exabeam
Bartosz Jerzman
Ben Smith
Bencherchali Nasreddine, @nas_bench, ELIT Security Team (DSSD)