Updates - October 2023

Version	Start Date	End Date	Data	Changelogs
ATT&CK v14	October 31, 2023	April 22, 2024	v14.0 on MITRE/CTI v14.1 on MITRE/CTI	13.1 - 14.0 Details (JSON) 14.0 - 14.1 Details (JSON)

The October 2023 (v14) ATT&CK release updates Techniques, Groups, Campaigns and Software for Enterprise, Mobile, and ICS. The biggest changes in ATT&CK v14 are a large expansion of detection notes and analytics to Techniques in Enterprise, a minor scoping change to Enterprise resulting in coverage of Financial Theft and Voice Phishing, structured Detections in Mobile, and the (re-)addition of Assets to ICS. An accompanying blog post describes these changes as well as improvements across ATT&CK's various domains and platforms.

This release also includes a human-readable detailed changelog showing more specifically what changed in updated ATT&CK objects, and a machine-readable JSON changelog, whose format is described in ATT&CK's Github.

This version of ATT&CK contains 760 Pieces of Software, 143 Groups, and 24 Campaigns. Broken out by domain:

• Enterprise: 201 Techniques, 424 Sub-Techniques, 141 Groups, 648 Pieces of Software, 23 Campaigns, 43 Mitigations, and 109 Data Sources
• Mobile: 72 Techniques, 42 Sub-Techniques, 8 Groups, 108 Pieces of Software, 1 Campaign, 12 Mitigations, and 15 Data Sources
• ICS: 81 Techniques, 13 Groups, 21 Pieces of Software, 52 Mitigations, 3 Campaigns, 14 Assets, and 34 Data Sources

Release Notes Terminology

• New: ATT&CK objects which are only present in the new release.
• Major version changes: ATT&CK objects that have a major version change. (e.g. 1.0 → 2.0)
• Minor version changes: ATT&CK objects that have a minor version change. (e.g. 1.0 → 1.1)
• Other version changes: ATT&CK objects that have a version change of any other kind. (e.g. 1.0 → 1.2)
• Patches: ATT&CK objects that have been patched while keeping the version the same. (e.g., 1.0 → 1.0 but something immaterial like a typo, a URL, or some metadata was fixed)
• Revocations: ATT&CK objects which are revoked by a different object.
• Deprecations: ATT&CK objects which are deprecated and no longer in use, and not replaced.
• Deletions: ATT&CK objects which are no longer found in the STIX data.

Techniques

Enterprise

New Techniques

• Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (v1.0)
• Account Manipulation: Additional Container Cluster Roles (v1.0)
• Content Injection (v1.0)
• Credentials from Password Stores: Cloud Secrets Management Stores (v1.0)
• Exfiltration Over Web Service: Exfiltration Over Webhook (v1.0)
• Financial Theft (v1.0)
• Hide Artifacts: Ignore Process Interrupts (v1.0)
• Impair Defenses: Disable or Modify Linux Audit System (v1.0)
• Impersonation (v1.0)
• Log Enumeration (v1.0)
• Masquerading: Break Process Trees (v1.0)
• Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations (v1.0)
• Obfuscated Files or Information: LNK Icon Smuggling (v1.0)
• Phishing: Spearphishing Voice (v1.0)
• Phishing for Information: Spearphishing Voice (v1.0)
• Power Settings (v1.0)
• Remote Services: Direct Cloud VM Connections (v1.0)
• System Network Configuration Discovery: Wi-Fi Discovery (v1.0)

Major Version Changes

• Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (v1.2→v2.0)
• Impair Defenses: Disable or Modify Cloud Logs (v1.3→v2.0)

Minor Version Changes

• Abuse Elevation Control Mechanism (v1.1→v1.2)
• Access Token Manipulation: Token Impersonation/Theft (v1.1→v1.2)
• Account Manipulation (v2.5→v2.6)
• Additional Cloud Credentials (v2.5→v2.6)
• Additional Cloud Roles (v2.2→v2.3)
• Additional Email Delegate Permissions (v2.0→v2.1)
• Device Registration (v1.1→v1.2)
• SSH Authorized Keys (v1.2→v1.3)
• Acquire Infrastructure (v1.2→v1.3)
• Adversary-in-the-Middle (v2.2→v2.3)
• Application Layer Protocol: File Transfer Protocols (v1.0→v1.1)
• Application Layer Protocol: Web Protocols (v1.1→v1.2)
• Archive Collected Data: Archive via Utility (v1.2→v1.3)
• Boot or Logon Autostart Execution: Print Processors (v1.0→v1.1)
• Boot or Logon Autostart Execution: Winlogon Helper DLL (v1.0→v1.1)
• Boot or Logon Autostart Execution: XDG Autostart Entries (v1.0→v1.1)
• Boot or Logon Initialization Scripts (v2.1→v2.2)
• Brute Force: Credential Stuffing (v1.3→v1.4)
• Brute Force: Password Guessing (v1.4→v1.5)
• Brute Force: Password Spraying (v1.3→v1.4)
• Cloud Service Dashboard (v1.1→v1.2)
• Command and Scripting Interpreter: Windows Command Shell (v1.2→v1.3)
• Compromise Client Software Binary (v1.0→v1.1)
• Compromise Infrastructure (v1.3→v1.4)
• Create Account (v2.3→v2.4)
• Cloud Account (v1.3→v1.4)
• Domain Account (v1.0→v1.1)
• Local Account (v1.2→v1.3)
• Create or Modify System Process: Systemd Service (v1.3→v1.4)
• Create or Modify System Process: Windows Service (v1.3→v1.4)
• Credentials from Password Stores (v1.0→v1.1)
• Data Destruction (v1.1→v1.2)
• Data from Cloud Storage (v2.0→v2.1)
• Data from Network Shared Drive (v1.3→v1.4)
• Deobfuscate/Decode Files or Information (v1.2→v1.3)
• Direct Volume Access (v2.0→v2.1)
• Email Collection (v2.4→v2.5)
• Remote Email Collection (v1.1→v1.2)
• Event Triggered Execution: Screensaver (v1.1→v1.2)
• Exfiltration Over Other Network Medium (v1.1→v1.2)
• Exfiltration Over Web Service (v1.2→v1.3)
• Exfiltration to Cloud Storage (v1.1→v1.2)
• Exfiltration to Code Repository (v1.0→v1.1)
• Exploitation for Credential Access (v1.4→v1.5)
• Exploitation for Defense Evasion (v1.3→v1.4)
• File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification (v1.1→v1.2)
• Forced Authentication (v1.2→v1.3)
• Forge Web Credentials (v1.3→v1.4)
• Hide Artifacts: Email Hiding Rules (v1.2→v1.3)
• Hijack Execution Flow: Path Interception by PATH Environment Variable (v1.0→v1.1)
• Impair Defenses (v1.4→v1.5)
• Disable Windows Event Logging (v1.2→v1.3)
• Disable or Modify Tools (v1.4→v1.5)
• Downgrade Attack (v1.1→v1.2)
• Indicator Blocking (v1.2→v1.3)
• Indicator Removal: Clear Network Connection History and Configurations (v1.0→v1.1)
• Indicator Removal: Clear Windows Event Logs (v1.2→v1.3)
• Ingress Tool Transfer (v2.2→v2.3)
• Inhibit System Recovery (v1.2→v1.3)
• Input Capture: Keylogging (v1.1→v1.2)
• Inter-Process Communication: Dynamic Data Exchange (v1.2→v1.3)
• Lateral Tool Transfer (v1.2→v1.3)
• Masquerading (v1.5→v1.6)
• Masquerade Task or Service (v1.1→v1.2)
• Match Legitimate Name or Location (v1.1→v1.2)
• Modify Authentication Process: Multi-Factor Authentication (v1.0→v1.1)
• Modify Cloud Compute Infrastructure (v1.1→v1.2)
• Modify Registry (v1.3→v1.4)
• Native API (v2.1→v2.2)
• Network Service Discovery (v3.0→v3.1)
• Network Share Discovery (v3.1→v3.2)
• Network Sniffing (v1.4→v1.5)
• Non-Application Layer Protocol (v2.2→v2.3)
• OS Credential Dumping: LSASS Memory (v1.2→v1.3)
• OS Credential Dumping: NTDS (v1.1→v1.2)
• OS Credential Dumping: Security Account Manager (v1.0→v1.1)
• Obfuscated Files or Information (v1.4→v1.5)
• Embedded Payloads (v1.0→v1.1)
• HTML Smuggling (v1.0→v1.1)
• Phishing (v2.3→v2.4)
• Spearphishing Link (v2.4→v2.5)
• Phishing for Information (v1.2→v1.3)
• Spearphishing Link (v1.4→v1.5)
• Process Discovery (v1.3→v1.4)
• Process Injection: Dynamic-link Library Injection (v1.2→v1.3)
• Process Injection: Process Hollowing (v1.2→v1.3)
• Reflective Code Loading (v1.0→v1.1)
• Remote Access Software (v2.1→v2.2)
• Remote Service Session Hijacking: RDP Hijacking (v1.0→v1.1)
• Remote Services (v1.3→v1.4)
• Distributed Component Object Model (v1.2→v1.3)
• Remote Desktop Protocol (v1.1→v1.2)
• SMB/Windows Admin Shares (v1.1→v1.2)
• SSH (v1.1→v1.2)
• Windows Remote Management (v1.1→v1.2)
• Remote System Discovery (v3.4→v3.5)
• Resource Hijacking (v1.3→v1.4)
• Scheduled Task/Job: At (v2.0→v2.1)
• Scheduled Task/Job: Scheduled Task (v1.3→v1.4)
• Scheduled Task/Job: Systemd Timers (v1.1→v1.2)
• Shared Modules (v2.1→v2.2)
• Software Deployment Tools (v2.1→v2.2)
• Subvert Trust Controls: Install Root Certificate (v1.1→v1.2)
• System Binary Proxy Execution: Rundll32 (v2.1→v2.2)
• System Network Configuration Discovery (v1.5→v1.6)
• System Owner/User Discovery (v1.4→v1.5)
• System Services: Service Execution (v1.1→v1.2)
• Taint Shared Content (v1.3→v1.4)
• Trusted Developer Utilities Proxy Execution: MSBuild (v1.2→v1.3)
• Unsecured Credentials: Credentials In Files (v1.1→v1.2)
• Unsecured Credentials: Credentials in Registry (v1.0→v1.1)
• Use Alternate Authentication Material: Pass the Hash (v1.1→v1.2)
• Valid Accounts: Cloud Accounts (v1.5→v1.6)
• Valid Accounts: Domain Accounts (v1.3→v1.4)
• Valid Accounts: Local Accounts (v1.3→v1.4)
• Windows Management Instrumentation (v1.3→v1.4)

Patches

• Cloud Service Discovery (v1.3)
• Event Triggered Execution: PowerShell Profile (v1.1)
• Forge Web Credentials: SAML Tokens (v1.2)
• Forge Web Credentials: Web Cookies (v1.1)
• Masquerading: Masquerade File Type (v1.0)
• Masquerading: Rename System Utilities (v1.1)
• OS Credential Dumping: Cached Domain Credentials (v1.0)
• Replication Through Removable Media (v1.2)
• Steal Application Access Token (v1.2)
• Steal Web Session Cookie (v1.2)
• System Binary Proxy Execution: Compiled HTML File (v2.1)
• Use Alternate Authentication Material: Application Access Token (v1.5)
• Use Alternate Authentication Material: Web Session Cookie (v1.3)

Mobile

New Techniques

• Application Versioning (v1.0)
• Data Destruction (v1.0)
• Exploitation for Client Execution (v1.0)
• Masquerading (v1.0)
• Match Legitimate Name or Location (v1.0)
• Phishing (v1.0)
• Remote Access Software (v1.0)

Minor Version Changes

• Call Control (v1.1→v1.2)
• Command and Scripting Interpreter (v1.1→v1.2)
• Unix Shell (v1.1→v1.2)
• Download New Code at Runtime (v1.4→v1.5)
• Drive-By Compromise (v2.1→v2.2)
• Dynamic Resolution (v1.0→v1.1)
• Domain Generation Algorithms (v1.0→v1.1)
• Exfiltration Over Alternative Protocol (v1.0→v1.1)
• Exfiltration Over Unencrypted Non-C2 Protocol (v1.0→v1.1)
• Exfiltration Over C2 Channel (v1.0→v1.1)
• Impair Defenses: Prevent Application Removal (v1.1→v1.2)
• Ingress Tool Transfer (v2.1→v2.2)
• Input Injection (v1.1→v1.2)
• Lockscreen Bypass (v1.2→v1.3)
• Obfuscated Files or Information (v3.0→v3.1)
• Replication Through Removable Media (v2.0→v2.1)
• Web Service (v1.2→v1.3)
• Bidirectional Communication (v1.1→v1.2)
• Dead Drop Resolver (v1.1→v1.2)
• One-Way Communication (v1.1→v1.2)

Patches

• Credentials from Password Store (v1.1)
• Exploitation for Privilege Escalation (v2.1)
• Hijack Execution Flow: System Runtime API Hijacking (v1.1)
• Location Tracking: Impersonate SS7 Nodes (v1.1)
• Non-Standard Port (v2.1)

ICS

Minor Version Changes

• Block Command Message (v1.0→v1.1)
• Modify Controller Tasking (v1.1→v1.2)
• Modify Parameter (v1.2→v1.3)
• Modify Program (v1.1→v1.2)
• Service Stop (v1.0→v1.1)

Patches

• Activate Firmware Update Mode (v1.0)
• Adversary-in-the-Middle (v2.0)
• Alarm Suppression (v1.2)
• Automated Collection (v1.0)
• Block Reporting Message (v1.0)
• Block Serial COM (v1.1)
• Brute Force I/O (v1.1)
• Change Credential (v1.0)
• Change Operating Mode (v1.0)
• Command-Line Interface (v1.1)
• Commonly Used Port (v1.1)
• Connection Proxy (v1.1)
• Damage to Property (v1.1)
• Data Destruction (v1.0)
• Data from Information Repositories (v1.2)
• Data from Local System (v1.0)
• Default Credentials (v1.0)
• Denial of Control (v1.1)
• Denial of Service (v1.1)
• Denial of View (v1.1)
• Detect Operating Mode (v1.0)
• Device Restart/Shutdown (v1.1)
• Drive-by Compromise (v1.0)
• Execution through API (v1.1)
• Exploit Public-Facing Application (v1.0)
• Exploitation for Evasion (v1.1)
• Exploitation for Privilege Escalation (v1.1)
• Exploitation of Remote Services (v1.0)
• External Remote Services (v1.1)
• Graphical User Interface (v1.1)
• Hardcoded Credentials (v1.0)
• Hooking (v1.2)
• I/O Image (v1.1)
• Indicator Removal on Host (v1.0)
• Internet Accessible Device (v1.0)
• Lateral Tool Transfer (v1.1)
• Loss of Availability (v1.0)
• Loss of Control (v1.0)
• Loss of Productivity and Revenue (v1.0)
• Loss of Protection (v1.0)
• Loss of Safety (v1.0)
• Loss of View (v1.0)
• Manipulate I/O Image (v1.1)
• Manipulation of Control (v1.0)
• Manipulation of View (v1.0)
• Masquerading (v1.1)
• Modify Alarm Settings (v1.2)
• Module Firmware (v1.1)
• Monitor Process State (v1.0)
• Native API (v1.0)
• Network Connection Enumeration (v1.1)
• Network Sniffing (v1.0)
• Point & Tag Identification (v1.1)
• Program Download (v1.1)
• Program Upload (v1.0)
• Project File Infection (v1.0)
• Remote Services (v1.1)
• Remote System Discovery (v1.1)
• Remote System Information Discovery (v1.1)
• Replication Through Removable Media (v1.0)
• Rogue Master (v1.2)
• Rootkit (v1.1)
• Screen Capture (v1.0)
• Scripting (v1.0)
• Spearphishing Attachment (v1.1)
• Spoof Reporting Message (v1.2)
• Standard Application Layer Protocol (v1.0)
• Supply Chain Compromise (v1.1)
• System Firmware (v1.1)
• Theft of Operational Information (v1.0)
• Transient Cyber Asset (v1.2)
• Unauthorized Command Message (v1.2)
• User Execution (v1.1)
• Valid Accounts (v1.1)
• Wireless Compromise (v1.2)
• Wireless Sniffing (v1.1)

Software

Enterprise

New Software

• ANDROMEDA (v1.0)
• AsyncRAT (v1.0)
• BADHATCH (v1.0)
• Disco (v1.0)
• KOPILUWAK (v1.0)
• NightClub (v1.0)
• Pacu (v1.0)
• QUIETCANARY (v1.0)
• QUIETEXIT (v1.0)
• RotaJakiro (v1.0)
• Sardonic (v1.0)
• SharpDisco (v1.0)
• Snip3 (v1.0)
• ngrok (v1.2)

Major Version Changes

• OSX_OCEANLOTUS.D (v2.2→v3.0)
• Uroburos (v1.0→v2.0)

Minor Version Changes

• AdFind (v1.2→v1.3)
• Agent Tesla (v1.2→v1.3)
• Arp (v1.1→v1.2)
• BITSAdmin (v1.3→v1.4)
• BlackEnergy (v1.3→v1.4)
• BloodHound (v1.4→v1.5)
• Cobalt Strike (v1.10→v1.11)
• Conti (v2.1→v2.2)
• CrossRAT (v1.1→v1.2)
• Dridex (v2.0→v2.1)
• Emotet (v1.4→v1.5)
• Empire (v1.6→v1.7)
• Fysbis (v1.2→v1.3)
• GoldMax (v2.1→v2.2)
• Imminent Monitor (v1.0→v1.1)
• Impacket (v1.4→v1.5)
• KillDisk (v1.1→v1.2)
• LaZagne (v1.4→v1.5)
• Mimikatz (v1.7→v1.8)
• NETWIRE (v1.5→v1.6)
• Net (v2.4→v2.5)
• Nltest (v1.1→v1.2)
• OSX/Shlayer (v1.3→v1.4)
• Ping (v1.3→v1.4)
• PsExec (v1.4→v1.5)
• Pupy (v1.2→v1.3)
• Ragnar Locker (v1.1→v1.2)
• Regin (v1.1→v1.2)
• Revenge RAT (v1.1→v1.2)
• Rubeus (v1.0→v1.1)
• Ryuk (v1.3→v1.4)
• TrickBot (v2.0→v2.1)
• WarzoneRAT (v1.0→v1.1)
• certutil (v1.3→v1.4)
• esentutl (v1.2→v1.3)
• jRAT (v2.1→v2.2)
• netstat (v1.1→v1.2)
• njRAT (v1.4→v1.5)

Patches

• BlackCat (v1.0)
• Calisto (v1.1)
• Carbanak (v1.1)
• Doki (v1.0)
• Industroyer (v1.1)
• LockerGoga (v2.0)
• PUNCHBUGGY (v2.1)
• PUNCHTRACK (v1.1)
• PowerSploit (v1.6)

Revocations

• Ngrok (revoked by ngrok) (v1.1)

Mobile

New Software

• BOULDSPY (v1.0)
• Chameleon (v1.0)
• Escobar (v1.0)
• Fakecalls (v1.0)
• FlyTrap (v1.0)
• Hornbill (v1.0)
• Sunbird (v1.0)

ICS

Minor Version Changes

• BlackEnergy (v1.3→v1.4)
• KillDisk (v1.1→v1.2)
• Ryuk (v1.3→v1.4)

Patches

• Industroyer (v1.1)
• LockerGoga (v2.0)

Groups

Enterprise

New Groups

• FIN13 (v1.0)
• MoustachedBouncer (v1.0)
• Scattered Spider (v1.0)
• TA2541 (v1.0)
• Volt Typhoon (v1.0)

Major Version Changes

• APT29 (v4.0→v5.0)
• FIN7 (v2.2→v3.0)
• FIN8 (v1.3→v2.0)
• Indrik Spider (v2.1→v3.0)
• Turla (v3.1→v4.0)
• Wizard Spider (v2.1→v3.0)

Minor Version Changes

• APT32 (v2.6→v2.7)
• Confucius (v1.0→v1.1)
• Dragonfly (v3.1→v3.2)
• LAPSUS$ (v1.1→v1.2)
• Magic Hound (v5.1→v5.2)
• Sandworm Team (v3.0→v3.1)
• SilverTerrier (v1.1→v1.2)

Patches

• APT37 (v2.0)
• Ajax Security Team (v1.0)
• Darkhotel (v2.1)
• Kimsuky (v3.1)

Mobile

New Groups

• Confucius (v1.1)
• MoustachedBouncer (v1.0)

Minor Version Changes

• Sandworm Team (v3.0→v3.1)

ICS

Major Version Changes

• FIN7 (v2.2→v3.0)
• Wizard Spider (v2.1→v3.0)

Minor Version Changes

• Dragonfly (v3.1→v3.2)
• Sandworm Team (v3.0→v3.1)

Campaigns

Enterprise

New Campaigns

• 2015 Ukraine Electric Power Attack (v1.0)
• C0026 (v1.0)
• C0027 (v1.0)

Minor Version Changes

• Operation Dream Job (v1.0→v1.1)

Mobile

ICS

New Campaigns

• 2015 Ukraine Electric Power Attack (v1.0)

Deprecations

• Oldsmar Treatment Plant Intrusion (v1.0)

Assets

ICS

New Assets

• Application Server (v1.0)
• Control Server (v1.0)
• Data Gateway (v1.0)
• Data Historian (v1.0)
• Field I/O (v1.0)
• Human-Machine Interface (HMI) (v1.0)
• Intelligent Electronic Device (IED) (v1.0)
• Jump Host (v1.0)
• Programmable Logic Controller (PLC) (v1.0)
• Remote Terminal Unit (RTU) (v1.0)
• Routers (v1.0)
• Safety Controller (v1.0)
• Virtual Private Network (VPN) Server (v1.0)
• Workstation (v1.0)

Mitigations

Enterprise

Minor Version Changes

• Application Developer Guidance (v1.0→v1.1)

Mobile

New Mitigations

• Antivirus/Antimalware (v1.0)

Minor Version Changes

• Application Developer Guidance (v1.0→v1.1)

Patches

• Interconnection Filtering (v1.0)

ICS

Minor Version Changes

• Authorization Enforcement (v1.0→v1.1)
• Human User Authentication (v1.0→v1.1)

Patches

• Access Management (v1.0)
• Account Use Policies (v1.0)
• Antivirus/Antimalware (v1.0)
• Application Developer Guidance (v1.0)
• Application Isolation and Sandboxing (v1.0)
• Audit (v1.0)
• Boot Integrity (v1.0)
• Code Signing (v1.0)
• Communication Authenticity (v1.0)
• Data Backup (v1.0)
• Disable or Remove Feature or Program (v1.0)
• Encrypt Network Traffic (v1.0)
• Encrypt Sensitive Information (v1.0)
• Execution Prevention (v1.0)
• Exploit Protection (v1.0)
• Filter Network Traffic (v1.0)
• Limit Access to Resource Over Network (v1.0)
• Limit Hardware Installation (v1.0)
• Minimize Wireless Signal Propagation (v1.0)
• Multi-factor Authentication (v1.0)
• Network Allowlists (v1.0)
• Network Intrusion Prevention (v1.0)
• Network Segmentation (v1.0)
• Operating System Configuration (v1.0)
• Out-of-Band Communications Channel (v1.0)
• Password Policies (v1.0)
• Privileged Account Management (v1.0)
• Redundancy of Service (v1.0)
• Restrict File and Directory Permissions (v1.0)
• Restrict Library Loading (v1.0)
• Restrict Registry Permissions (v1.0)
• Restrict Web-Based Content (v1.0)
• Software Configuration (v1.0)
• Software Process and Device Authentication (v1.0)
• Static Network Configuration (v1.1)
• Supply Chain Management (v1.0)
• Update Software (v1.0)
• User Account Management (v1.0)
• User Training (v1.0)
• Validate Program Inputs (v1.0)
• Vulnerability Scanning (v1.0)

Contributors to this release

• Aaron Jornet
• Adam Lichters
• Adam Mashinchi
• Ai Kimura, NEC Corporation
• Alain Homewood
• Alex Spivakovsky, Pentera
• Amir Gharib, Microsoft Threat Intelligence
• Andrew Northern, @ex_raritas
• Arad Inbar, Fidelis Security
• Austin Herrin
• Ben Smith, @ezaspy
• Bilal Bahadır Yenici
• Blake Strom, Microsoft Threat Intelligence
• Brian Donohue
• Caio Silva
• Christopher Peacock
• Edward Stevens, BT Security
• Ford Qin, Trend Micro
• Giorgi Gurgenidze, ISAC
• Goldstein Menachem
• Gregory Lesnewich, @greglesnewich
• Gunji Satoshi, NEC Corporation
• Harry Kim, CODEMIZE
• Harun Küßner
• Hiroki Nagahama, NEC Corporation
• Itamar Mizrahi, Cymptom
• Jack Burns, HubSpot
• Janantha Marasinghe
• Jennifer Kim Roman, CrowdStrike
• Joas Antonio dos Santos, @C0d3Cr4zy
• Joe Gumke, U.S. Bank
• Joe Slowik - Dragos
• Joey Lei
• Juan Tapiador
• Liran Ravich, CardinalOps
• Manikantan Srinivasan, NEC Corporation India
• Martin McCloskey, Datadog
• Matt Green, @mgreen27
• Michael Raggi @aRtAGGI
• Mohit Rathore
• Naveen Devaraja, bolttech
• Noam Lifshitz, Sygnia
• Olaf Hartong, Falcon Force
• Oren Biderman, Sygnia
• Pawel Partyka, Microsoft Threat Intelligence
• Phyo Paing Htun (ChiLai), I-Secure Co.,Ltd
• Pooja Natarajan, NEC Corporation India
• Sam Seabrook, Duke Energy
• Serhii Melnyk, Trustwave SpiderLabs
• Shailesh Tiwary (Indian Army)
• Shankar Raman, Gen Digital and Abhinand, Amrita University
• Sunders Bruskin, Microsoft Threat Intelligence
• Tahseen Bin Taj
• Thanabodi Phrakhun, @naikordian
• The DFIR Report
• Tim (Wadhwa-)Brown
• Tom Simpson, CrowdStrike Falcon OverWatch
• Tristan Madani (Cybereason)
• TruKno
• Uriel Kosayev
• Vijay Lalwani
• Will Thomas, Equinix
• Yasuhito Kawanishi, NEC Corporation
• Yoshihiro Kori, NEC Corporation
• Yossi Weizman, Microsoft Threat Intelligence