Updates - October 2022

Version	Start Date	End Date	Data	Changelogs
ATT&CK v12	October 25, 2022	April 24, 2023	v12.0 on MITRE/CTI v12.1 on MITRE/CTI	11.3 - 12.0 Details (JSON) 12.0 - 12.1 Details (JSON)

The October 2022 (v12) ATT&CK release updates Techniques, Groups, and Software for Enterprise, Mobile, and ICS. The biggest changes in ATT&CK v12 are the addition of detections to ATT&CK for ICS, and the introduction of Campaigns.

Matching the model introduced to ATT&CK for Enterprise in ATT&CK v11, ATT&CK for ICS detections describe ways of detecting various ICS techniques and are each tied to specific Data Sources and Data Components. This detection format was described in detail in our ATT&CK v11 release blog post. The new detections added leverage both traditional host and network-based collection as well as ICS specific sources such as Asset and Operational Databases. As there are overlaps between the Enterprise and ICS ATT&CK domains some ICS detections include references to Enterprise techniques where the additional context may assist defenders.

This release introduces the Campaign data structure to ATT&CK and an initial limited set of Campaigns. ATT&CK's Campaigns are defined as a grouping of intrusion activity conducted over a specific period of time with common targets and objectives. A key aspect of Campaigns is that the activity may or may not be linked to a specific threat actor. Campaigns are described in detail in the blog post Introducing Campaigns to MITRE ATT&CK. Specifics on how Campaigns are implemented in ATT&CK's Enterprise, ICS, and Mobile STIX representations are described in ATT&CK's STIX 2.0 Data Model and STIX 2.1 Data Model. Several existing Groups were identified as more closely matching the Campaign than the Group definition and were converted to Campaigns. The 7 impacted groups were deprecated (noted below) and new Campaigns were created in their place.

In this release we have renamed the Enterprise Technique "Indicator Removal on Host" to Indicator Removal (T1070) and rescoped it to better account for adversary behavior in cloud environments.

This version of ATT&CK for Enterprise contains 14 Tactics, 193 Techniques, 401 Sub-techniques, 135 Groups, 14 Campaigns, and 718 Pieces of Software.

Table of Contents

New Campaigns in ATT&CK

• C0010 (v1.0)
• C0011 (v1.0)
• C0015 (v1.0)
• CostaRicto (v1.0) (replaces the group G0132/CostaRicto)
• Frankenstein (v1.0) (replaces the group G0101/Frankenstein)
• FunnyDream (v1.0)
• Night Dragon (v1.0) (replaces the group G0014/Night Dragon)
• Oldsmar Treatment Plant Intrusion (v1.0)
• Operation CuckooBees (v1.0)
• Operation Dust Storm (v1.0) (replaces the group G0031/Dust Storm)
• Operation Honeybee (v1.0) (replaces the group G0072/HoneyBee)
• Operation Sharpshooter (v1.0) (replaces the group G0104/Sharpshooter)
• Operation Spalax (v1.0)
• Operation Wocao (v1.0) (replaces the group G0116/Operation Wocao)

Techniques

Enterprise

New Techniques

• Acquire Infrastructure: Serverless (v1.0)
• Compromise Accounts: Cloud Accounts (v1.0)
• Compromise Infrastructure: Serverless (v1.0)
• Establish Accounts: Cloud Accounts (v1.0)
• Event Triggered Execution: Installer Packages (v1.0)
• Indicator Removal: Clear Mailbox Data (v1.0)
• Indicator Removal: Clear Network Connection History and Configurations (v1.0)
• Indicator Removal: Clear Persistence (v1.0)
• Modify Authentication Process: Hybrid Identity (v1.0)
• Modify Authentication Process: Multi-Factor Authentication (v1.0)
• Obfuscated Files or Information: Dynamic API Resolution (v1.0)
• Obfuscated Files or Information: Embedded Payloads (v1.0)
• Obfuscated Files or Information: Stripped Payloads (v1.0)
• Search Open Websites/Domains: Code Repositories (v1.0)
• Serverless Execution (v1.0)
• Stage Capabilities: SEO Poisoning (v1.0)
• Steal or Forge Authentication Certificates (v1.0)
• Traffic Signaling: Socket Filters (v1.0)

Technique Changes

• Account Discovery: Domain Account (v1.0→v1.1)
• Account Discovery: Local Account (v1.2→v1.3)
• Account Manipulation (v2.3→v2.4)
• Additional Cloud Credentials (v2.3→v2.4)
• Additional Cloud Roles (v2.0→v2.1)
• Acquire Infrastructure: Domains (v1.1→v1.2)
• Adversary-in-the-Middle (v2.1→v2.2)
• DHCP Spoofing (v1.0→v1.1)
• LLMNR/NBT-NS Poisoning and SMB Relay (v1.2→v1.3)
• Application Layer Protocol: DNS (v1.0→v1.1)
• BITS Jobs (v1.2→v1.3)
• Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (v1.1→v1.2)
• Boot or Logon Autostart Execution: Shortcut Modification (v1.1→v1.2)
• Credentials from Password Stores: Windows Credential Manager (v1.0→v1.1)
• Data Encrypted for Impact (v1.3→v1.4)
• Data from Cloud Storage (v1.1→v2.0)
• Data from Information Repositories: Code Repositories (v1.0→v1.1)
• Data from Local System (v1.4→v1.5)
• Data from Network Shared Drive (v1.2→v1.3)
• Domain Policy Modification: Domain Trust Modification (v1.0→v1.1)
• Domain Trust Discovery (v1.1→v1.2)
• Escape to Host (v1.2→v1.3)
• Event Triggered Execution (v1.1→v1.2)
• Exfiltration Over Web Service (v1.1→v1.2)
• Exfiltration to Cloud Storage (v1.0→v1.1)
• Exploitation for Privilege Escalation (v1.3→v1.4)
• External Remote Services (v2.3→v2.4)
• File and Directory Discovery (v1.4→v1.5)
• File and Directory Permissions Modification (v2.1→v2.2)
• Firmware Corruption (v1.1→v1.2)
• Gather Victim Identity Information: Email Addresses (v1.1→v1.2)
• Gather Victim Network Information: DNS (v1.0→v1.1)
• Gather Victim Network Information: Domain Properties (v1.0→v1.1)
• Impair Defenses (v1.2→v1.3)
• Disable or Modify Tools (v1.2→v1.3)
• Impair Command History Logging (v2.1→v2.2)
• Indicator Blocking (v1.0→v1.1)
• Indicator Removal (v1.3→v2.0)
• Clear Command History (v1.2→v1.3)
• Modify Authentication Process (v2.1→v2.2)
• Obfuscated Files or Information (v1.2→v1.3)
• Password Policy Discovery (v1.4→v1.5)
• Permission Groups Discovery: Domain Groups (v1.0→v1.1)
• Permission Groups Discovery: Local Groups (v1.0→v1.1)
• Phishing: Spearphishing Link (v2.2→v2.3)
• Phishing for Information: Spearphishing Link (v1.2→v1.3)
• Process Injection (v1.2→v1.3)
• Dynamic-link Library Injection (v1.1→v1.2)
• VDSO Hijacking (v1.0→v1.1)
• Remote System Discovery (v3.3→v3.4)
• Replication Through Removable Media (v1.1→v1.2)
• Scheduled Task/Job: Scheduled Task (v1.1→v1.2)
• Search Open Websites/Domains (v1.0→v1.1)
• Server Software Component (v1.3→v1.4)
• Web Shell (v1.2→v1.3)
• Stage Capabilities (v1.1→v1.2)
• Link Target (v1.1→v1.2)
• Upload Tool (v1.1→v1.2)
• Subvert Trust Controls: Code Signing (v1.0→v1.1)
• Subvert Trust Controls: Gatekeeper Bypass (v1.1→v1.2)
• System Information Discovery (v2.4→v2.5)
• System Network Configuration Discovery (v1.4→v1.5)
• System Network Connections Discovery (v2.3→v2.4)
• System Service Discovery (v1.3→v1.4)
• System Shutdown/Reboot (v1.1→v1.2)
• Traffic Signaling (v2.3→v2.4)
• Transfer Data to Cloud Account (v1.2→v1.3)
• Trusted Relationship (v2.2→v2.3)
• Use Alternate Authentication Material: Application Access Token (v1.3→v1.4)
• Valid Accounts (v2.4→v2.5)

Minor Technique Changes

• Abuse Elevation Control Mechanism: Elevated Execution with Prompt (v1.0→v1.0)
• Adversary-in-the-Middle: ARP Cache Poisoning (v1.1→v1.1)
• Brute Force: Password Guessing (v1.3→v1.3)
• Command and Scripting Interpreter: AppleScript (v1.1→v1.1)
• Compromise Infrastructure (v1.2→v1.2)
• Create or Modify System Process: Windows Service (v1.2→v1.2)
• Data Staged (v1.4→v1.4)
• Defacement: Internal Defacement (v1.1→v1.1)
• Disk Wipe (v1.0→v1.0)
• Disk Content Wipe (v1.0→v1.0)
• Hijack Execution Flow: Path Interception by Unquoted Path (v1.1→v1.1)
• Multi-Factor Authentication Request Generation (v1.0→v1.0)
• OS Credential Dumping: LSASS Memory (v1.1→v1.1)
• OS Credential Dumping: Security Account Manager (v1.0→v1.0)
• Search Open Technical Databases (v1.0→v1.0)
• Service Stop (v1.2→v1.2)

Technique Revocations

• No changes

Technique Deprecations

• No changes

Mobile

New Techniques

• No changes

Technique Changes

• No changes

Minor Technique Changes

• Location Tracking: Impersonate SS7 Nodes (v1.0→v1.0)
• Location Tracking: Remote Device Management Services (v1.0→v1.0)

Technique Revocations

• No changes

Technique Deprecations

• No changes

ICS

New Techniques

• Hardcoded Credentials (v1.0)

Technique Changes

• Adversary-in-the-Middle (v1.0→v2.0)
• Alarm Suppression (v1.0→v1.1)
• Block Serial COM (v1.0→v1.1)
• Command-Line Interface (v1.0→v1.1)
• Commonly Used Port (v1.0→v1.1)
• Connection Proxy (v1.0→v1.1)
• Data from Information Repositories (v1.0→v1.1)
• Device Restart/Shutdown (v1.0→v1.1)
• Execution through API (v1.0→v1.1)
• Exploitation for Evasion (v1.0→v1.1)
• Exploitation for Privilege Escalation (v1.0→v1.1)
• Graphical User Interface (v1.0→v1.1)
• Hooking (v1.0→v1.1)
• I/O Image (v1.0→v1.1)
• Lateral Tool Transfer (v1.0→v1.1)
• Manipulate I/O Image (v1.0→v1.1)
• Masquerading (v1.0→v1.1)
• Modify Alarm Settings (v1.0→v1.1)
• Modify Controller Tasking (v1.0→v1.1)
• Modify Parameter (v1.0→v1.1)
• Modify Program (v1.0→v1.1)
• Module Firmware (v1.0→v1.1)
• Network Connection Enumeration (v1.0→v1.1)
• Point & Tag Identification (v1.0→v1.1)
• Program Download (v1.0→v1.1)
• Remote Services (v1.0→v1.1)
• Remote System Discovery (v1.0→v1.1)
• Remote System Information Discovery (v1.0→v1.1)
• Rogue Master (v1.0→v1.1)
• Rootkit (v1.0→v1.1)
• Spearphishing Attachment (v1.0→v1.1)
• Spoof Reporting Message (v1.0→v1.1)
• Supply Chain Compromise (v1.0→v1.1)
• System Firmware (v1.0→v1.1)
• Transient Cyber Asset (v1.0→v1.1)
• Unauthorized Command Message (v1.0→v1.1)
• User Execution (v1.0→v1.1)
• Valid Accounts (v1.0→v1.1)
• Wireless Compromise (v1.0→v1.1)
• Wireless Sniffing (v1.0→v1.1)

Minor Technique Changes

• Block Reporting Message (v1.0→v1.0)
• Brute Force I/O (v1.0→v1.0)
• Damage to Property (v1.0→v1.0)
• Data Destruction (v1.0→v1.0)
• Default Credentials (v1.0→v1.0)
• Denial of Control (v1.0→v1.0)
• Denial of Service (v1.0→v1.0)
• Denial of View (v1.0→v1.0)
• Drive-by Compromise (v1.0→v1.0)
• Exploit Public-Facing Application (v1.0→v1.0)
• Exploitation of Remote Services (v1.0→v1.0)
• External Remote Services (v1.0→v1.0)
• Internet Accessible Device (v1.0→v1.0)
• Loss of Availability (v1.0→v1.0)
• Loss of Control (v1.0→v1.0)
• Loss of Productivity and Revenue (v1.0→v1.0)
• Loss of Protection (v1.0→v1.0)
• Loss of Safety (v1.0→v1.0)
• Manipulation of View (v1.0→v1.0)
• Native API (v1.0→v1.0)
• Network Sniffing (v1.0→v1.0)
• Project File Infection (v1.0→v1.0)
• Replication Through Removable Media (v1.0→v1.0)
• Scripting (v1.0→v1.0)

Technique Revocations

• No changes

Technique Deprecations

• No changes

Software

Enterprise

New Software

• Action RAT (v1.0)
• Amadey (v1.0)
• AuTo Stealer (v1.0)
• Bumblebee (v1.0)
• Chinoxy (v1.0)
• CreepyDrive (v1.0)
• CreepySnail (v1.0)
• DCSrv (v1.0)
• DanBot (v1.0)
• DnsSystem (v1.0)
• FunnyDream (v1.0)
• Heyoka Backdoor (v1.0)
• IceApple (v1.0)
• Kevin (v1.0)
• MacMa (v1.0)
• Milan (v1.0)
• Mongall (v1.0)
• Mori (v1.0)
• OutSteel (v1.0)
• PcShare (v1.0)
• PingPull (v1.0)
• PowGoop (v1.0)
• PowerLess (v1.0)
• PyDCrypt (v1.0)
• Rclone (v1.0)
• STARWHALE (v1.0)
• SUGARDUMP (v1.0)
• SUGARUSH (v1.0)
• Saint Bot (v1.0)
• Shark (v1.0)
• Small Sieve (v1.0)
• Squirrelwaffle (v1.0)
• StrifeWater (v1.0)
• Tarrask (v1.0)
• ZxxZ (v1.0)
• ccf32 (v1.0)
• macOS.OSAMiner (v1.0)

Software Changes

• AADInternals (v1.0→v1.1)
• ASPXSpy (v1.1→v1.2)
• AdFind (v1.0→v1.1)
• AppleJeus (v1.0→v1.1)
• Azorult (v1.2→v1.3)
• BITSAdmin (v1.2→v1.3)
• Bazar (v1.1→v1.2)
• BloodHound (v1.2→v1.3)
• Cobalt Strike (v1.8→v1.9)
• ComRAT (v1.2→v1.3)
• Conti (v2.0→v2.1)
• CostaBricks (v1.0→v1.1)
• Crimson (v1.2→v1.3)
• Dtrack (v1.0→v1.1)
• Empire (v1.4→v1.5)
• FlawedAmmyy (v1.1→v1.2)
• Goopy (v1.0→v1.1)
• GrimAgent (v1.0→v1.1)
• Impacket (v1.2→v1.3)
• Industroyer (v1.0→v1.1)
• Invoke-PSImage (v1.0→v1.1)
• KOCTOPUS (v1.0→v1.1)
• MCMD (v1.0→v1.1)
• Mimikatz (v1.5→v1.6)
• Mis-Type (v1.1→v1.2)
• Misdat (v1.1→v1.2)
• OSX/Shlayer (v1.2→v1.3)
• POWERSTATS (v2.1→v2.2)
• PS1 (v1.0→v1.1)
• Penquin (v1.0→v1.1)
• Pillowmint (v1.0→v1.1)
• Ping (v1.1→v1.2)
• PoisonIvy (v2.0→v2.1)
• PoshC2 (v1.2→v1.3)
• PowerSploit (v1.4→v1.5)
• PsExec (v1.2→v1.3)
• Pteranodon (v2.0→v2.1)
• QuasarRAT (v1.3→v2.0)
• RTM (v1.1→v1.2)
• Reg (v1.0→v1.1)
• Remcos (v1.2→v1.3)
• Rising Sun (v1.0→v2.0)
• S-Type (v1.1→v1.2)
• SDBbot (v2.0→v2.1)
• SMOKEDHAM (v1.0→v1.1)
• SUNBURST (v2.2→v2.3)
• SYSCON (v1.0→v1.1)
• ShadowPad (v1.0→v1.1)
• SombRAT (v1.1→v1.2)
• Stuxnet (v1.1→v1.2)
• Systeminfo (v1.0→v1.1)
• Tasklist (v1.0→v1.1)
• Tor (v1.1→v1.2)
• Wevtutil (v1.0→v1.1)
• XCSSET (v1.1→v1.2)
• ZLib (v1.1→v1.2)
• at (v1.2→v1.3)
• cmd (v1.1→v1.2)
• dsquery (v1.2→v1.3)
• gh0st RAT (v3.0→v3.1)
• gsecdump (v1.1→v1.2)
• ipconfig (v1.0→v1.1)
• netstat (v1.0→v1.1)
• njRAT (v1.3→v1.4)
• zwShell (v1.1→v2.0)

Minor Software Changes

• Backdoor.Oldrea (v2.0→v2.0)
• Bad Rabbit (v1.0→v1.0)
• BlackEnergy (v1.3→v1.3)
• CSPY Downloader (v1.0→v1.0)
• DarkWatchman (v1.0→v1.0)
• ELMER (v1.1→v1.1)
• Flame (v1.1→v1.1)
• Grandoreiro (v1.0→v1.0)
• HermeticWiper (v1.0→v1.0)
• Metamorfo (v2.0→v2.0)
• MirageFox (v1.1→v1.1)
• Mivast (v1.1→v1.1)
• Net Crawler (v1.1→v1.1)
• POWERSOURCE (v1.1→v1.1)
• REvil (v2.0→v2.0)
• RawDisk (v1.0→v1.0)
• Ryuk (v1.3→v1.3)
• Sibot (v1.0→v1.0)
• TEXTMATE (v1.1→v1.1)
• TinyZBot (v1.1→v1.1)

Software Revocations

• No changes

Software Deprecations

• No changes

Mobile

New Software

• No changes

Software Changes

• No changes

Minor Software Changes

• No changes

Software Revocations

• No changes

Software Deprecations

• No changes

ICS

New Software

• INCONTROLLER (v1.0)

Software Changes

• Industroyer (v1.0→v1.1)
• Stuxnet (v1.1→v1.2)

Minor Software Changes

• ACAD/Medre.A (v1.0→v1.0)
• Backdoor.Oldrea (v2.0→v2.0)
• Bad Rabbit (v1.0→v1.0)
• BlackEnergy (v1.3→v1.3)
• Flame (v1.1→v1.1)
• PLC-Blaster (v1.0→v1.0)
• Triton (v1.0→v1.0)
• VPNFilter (v1.0→v1.0)

Software Revocations

• No changes

Software Deprecations

• No changes

Groups

Enterprise

New Groups

• Aoqin Dragon (v1.0)
• BITTER (v1.0)
• EXOTIC LILY (v1.0)
• Earth Lusca (v1.0)
• Ember Bear (v1.0)
• HEXANE (v2.0)
• LAPSUS$ (v1.0)
• Moses Staff (v1.0)
• POLONIUM (v1.0)
• SideCopy (v1.0)

Group Changes

• APT29 (v3.0→v3.1)
• CopyKittens (v1.5→v1.6)
• Darkhotel (v2.0→v2.1)
• Dragonfly (v3.0→v3.1)
• GALLIUM (v2.0→v3.0)
• HAFNIUM (v1.1→v1.2)
• Lazarus Group (v3.0→v3.1)
• Magic Hound (v4.1→v5.0)
• MuddyWater (v3.0→v4.0)
• TA505 (v1.3→v2.0)
• TeamTNT (v1.1→v1.2)
• Transparent Tribe (v1.0→v1.1)

Minor Group Changes

• APT16 (v1.1→v1.1)
• APT39 (v3.1→v3.1)
• APT41 (v3.0→v3.0)
• Aquatic Panda (v1.0→v1.0)
• Cleaver (v1.3→v1.3)
• Confucius (v1.0→v1.0)
• Deep Panda (v1.2→v1.2)
• FIN6 (v3.2→v3.2)
• FIN7 (v2.1→v2.1)
• Fox Kitten (v1.0→v1.0)
• Indrik Spider (v2.1→v2.1)
• Ke3chang (v2.0→v2.0)
• Nomadic Octopus (v1.0→v1.0)
• OilRig (v3.0→v3.0)
• Patchwork (v1.4→v1.4)
• Sandworm Team (v2.2→v2.2)
• Silence (v2.1→v2.1)
• Turla (v3.0→v3.0)
• menuPass (v2.1→v2.1)

Group Revocations

• No changes

Group Deprecations

• CostaRicto (v1.0)
• Dust Storm (v1.0)
• Frankenstein (v1.1)
• Honeybee (v1.1)
• Night Dragon (v1.4)
• Operation Wocao (v1.0)
• Sharpshooter (v1.0)

Mobile

New Groups

• Earth Lusca (v1.0)

Group Changes

• No changes

Minor Group Changes

• Sandworm Team (v2.2→v2.2)

Group Revocations

• No changes

Group Deprecations

• No changes

ICS

New Groups

• No changes

Group Changes

• Dragonfly (v3.0→v3.1)
• HEXANE (v1.0→v2.0)
• Lazarus Group (v3.0→v3.1)

Minor Group Changes

• FIN6 (v3.2→v3.2)
• FIN7 (v2.1→v2.1)
• OilRig (v3.0→v3.0)
• Sandworm Team (v2.2→v2.2)

Group Revocations

• No changes

Group Deprecations

• No changes

Mitigations

Enterprise

New Mitigations

• No changes

Mitigation Changes

• No changes

Minor Mitigation Changes

• Account Use Policies (v1.0→v1.0)
• Audit (v1.1→v1.1)
• Credential Access Protection (v1.1→v1.1)
• Multi-factor Authentication (v1.0→v1.0)
• Password Policies (v1.0→v1.0)

Mitigation Revocations

• No changes

Mitigation Deprecations

• No changes

Mobile

New Mitigations

• No changes

Mitigation Changes

• No changes

Minor Mitigation Changes

• No changes

Mitigation Revocations

• No changes

Mitigation Deprecations

• No changes

ICS

New Mitigations

• No changes

Mitigation Changes

• No changes

Minor Mitigation Changes

• No changes

Mitigation Revocations

• No changes

Mitigation Deprecations

• No changes

Data Sources and/or Components

Enterprise

New Data Sources and/or Components

• No changes

Data Source and/or Component Changes

• Command (v1.0→v1.1)
• Command Execution (v1.0→v1.1)
• Logon Session (v1.0→v1.1)
• Logon Session Creation (v1.0→v1.1)
• Malware Repository (v1.0→v1.1)
• Malware Content (v1.0→v1.1)
• Malware Metadata (v1.0→v1.1)
• Network Traffic (v1.0→v1.1)
• Network Connection Creation (v1.0→v1.1)
• Process (v1.0→v1.1)
• Process Creation (v1.0→v1.1)
• Script (v1.0→v1.1)
• Script Execution (v1.0→v1.1)
• Sensor Health (v1.0→v1.1)
• Host Status (v1.0→v1.1)
• User Account (v1.0→v1.1)
• User Account Authentication (v1.0→v1.1)

Minor Data Source and/or Component Changes

• No changes

Data Source and/or Component Revocations

• No changes

Data Source and/or Component Deprecations

• Cluster (v1.0)
• Cluster Metadata (v1.0)

Mobile

ATT&CK for Mobile does not support structured data sources

ICS

New Data Sources and/or Components

• Asset (v1.0)
• Asset Inventory (v1.0)
• Software (v1.0)
• Scheduled Job: Scheduled Job Creation (v1.0)
• Service: Service Modification (v1.0)

Data Source and/or Component Changes

• Command (v1.0→v1.1)
• Command Execution (v1.0→v1.1)
• Logon Session (v1.0→v1.1)
• Logon Session Creation (v1.0→v1.1)
• Network Traffic (v1.0→v1.1)
• Network Connection Creation (v1.0→v1.1)
• Process (v1.0→v1.1)
• Process Creation (v1.0→v1.1)
• Script (v1.0→v1.1)
• Script Execution (v1.0→v1.1)
• User Account (v1.0→v1.1)
• User Account Authentication (v1.0→v1.1)

Minor Data Source and/or Component Changes

• No changes

Data Source and/or Component Revocations

• No changes

Data Source and/or Component Deprecations

• No changes

Contributors to this release

• Aagam Shah, @neutrinoguy, ABB
• Andrea Serrano Urea, Telefónica Tech
• Andrew Allen, @whitehat_zero
• AppOmni
• AttackIQ
• Austin Clark, @c2defense
• Awake Security
• Blake Strom, Microsoft 365 Defender
• Boominathan Sundaram
• Brandon Dalton @PartyD0lphin
• Catherine Williams, BT Security
• Chris Heald
• Cian Heasley
• Cisco
• CrowdStrike
• CrowdStrike Falcon OverWatch
• Daniel Feichter, @VirtualAllocEx, Infosec Tirol
• Daniyal Naeem, BT Security
• Darin Smith, Cisco
• David Hughes, BT Security
• David Tayouri
• Dragos Threat Intelligence
• Dray Agha, @Purp1eW0lf, Huntress Labs
• Edward Millington
• Eran Ayalon, Cybereason
• Erik Schamper, @Schamperr, Fox-IT
• ExtraHop
• Flavio Costa, Cisco
• Francesco Bigarella
• Goldstein Menachem
• Hannah Simes, BT Security
• Harry Hill, BT Security
• Harshal Tupsamudre, Qualys
• Hiroki Nagahama, NEC Corporation
• Ian Davila, Tidal Cyber
• Ian McKay
• Ilan Sokol, Cybereason
• Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
• Joas Antonio dos Santos, @Cr4zyC0d3
• Kyaw Pyiyt Htet, @KyawPyiytHtet
• Lee Christensen, SpecterOps
• Liran Ravich, CardinalOps
• Lucas Heiligenstein
• Maarten van Dantzig, @MaartenVDantzig, Fox-IT
• Manikanran Srinivasan, NEC Corporation India
• Matt Brenton, Zurich Insurance Group
• Matt Burrough, @mattburrough, Microsoft
• Menachem Goldstein
• Mindaugas Gudzis, BT Security
• Miriam Wiesner, @miriamxyra, Microsoft Security
• Nick Cairns, @grotezinfosec
• Oleg Kolesnikov, Securonix
• Oren Ofer, Cybereason
• Ozer Sarilar, @ozersarilar, STM
• Phill Taylor, BT Security
• Pooja Natarajan, NEC Corporation India
• Praetorian
• Raphaël Lheureux
• SarathKumar Rajendran, Trimble Inc
• Sebastian Showell-Westrip, BT Security
• Sekhar Sarukkai, McAfee
• Shailesh Tiwary (Indian Army)
• Shanief Webb
• Sittikorn Sangrattanapitak
• Swasti Bhushan Deb, IBM India Pvt. Ltd.
• Thirumalai Natarajan, Mandiant
• Tim (Wadhwa-)Brown
• Tristan Bennett, Seamless Intelligence
• Uriel Kosayev
• Vadim Khrykov
• Varonis Threat Labs
• Vijay Lalwani
• Vinayak Wadhwa, Lucideus
• Will Thomas, Equinix Threat Analysis Center (ETAC)
• Yoshihiro Kori, NEC Corporation