MITRE ATT&CK

The ATT&CK team is out at #hackersummercamp and happy to chat, meet up, or just share some stickers. Drop a DM or stop by an appearance if you’re interested in saying hi!

ATT&CKcon 6.0 MITRE ATT&CKcon | October 14 - 15, 2025

In-person ATT&CKcon 6.0 ticket sales are open! Come join us October 14-15 at ATT&CK HQ in McLean, VA. na.eventscloud.com/attackcon6/

We're almost set to announce this year's exciting speaker lineup and will open virtual registration Sep 3rd, so stay tuned!

a man in a black shirt and tie is holding a pen and a notebook and says you 're on my list ALT: a man in a black shirt and tie is holding a pen and a notebook and says you 're on my list

Tonight's the night! The ATT&CKcon 6.0 CFP will automatically stop accepting submissions at 8pm ET tonight. Historically we get about half of our submissions today, so all you procrastinators are in good company.

Give it your best shot at openconf.org/ATTACKCON2025.

Wondering about tickets for ATT&CKcon 6.0? Details are coming soon.

We are excited to announce our ATT&CKcon 6.0 keynote, Lillian Teng! Lillian's worn numerous hats in cyber at NCIS, FBI, Yahoo, and Capital One and has served with the KC7 Foundation, GirlSecurity, and LEAP.

Want to also join us on stage? CFP closes Wed night! www.openconf.org/ATTACKCON2025.

Looking to attend in-person or virtually? Hang tight, ticket sales will be announced in the coming months.

ATT&CKcon 6.0 MITRE ATT&CKcon | October 14 - 15, 2025

Interested in sponsoring ATT&CKcon? We have a couple slots left, and you can find out more at na.eventscloud.com/attackcon6.

We're looking for what's practical, what's aspirational, and what you should never ever do with ATT&CK. We're looking to hear from the community on any and all applications of ATT&CK. From managers to operators, if you're using ATT&CK we want to hear from you.

ATT&CKcon 6.0 Hero graphic

The MITRE ATT&CKcon 6.0 CFP is now open! Are you interested in joining us on the ATT&CKcon stage in McLean, VA October 14-15, 2025? Pitch us on your best ATT&CK related talk! Our CFP will close on July 9th at 8pm ET sharp, so get those proposals started.
www.openconf.org/ATTACKCON202...

And make sure to check out the ESXi material on ATT&CK including T1675 cloud.google.com/blog/topics/...

And see the entire ATT&CK v17 release for more information medium.com/mitre-attack...

VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors | Mandiant | Google Cloud Blog

Read up on Google’s reporting: cloud.google.com/blog/topics/...

Google’s reporting details UNC3886, Chinese cyber espionage group, using a zero-day vulnerability that enabled the execution of privileged commands across guest virtual machines without authentication of guest credentials from a compromised ESXi host and no default logging on guest VMs.

T1675 describes activity in which an adversary abuses ESXi admin services to execute commands on guest machines.

One of the big updates for ATT&CK v17 was the new platform ESXi which reflects the rise in attacks on virtualization infrastructure. The technique we’re spotlighting today is new to ATT&CK: T1675 ESXi Administration Command attack.mitre.org/techniques/T...

VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors | Mandiant | Google Cloud Blog

We’re currently reading Google’s reporting on VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors cloud.google.com/blog/topics/...

An old idea that still holds true: Fight the enemy where they aren’t. Threat actors take this advice to heart by avoiding Endpoint Detection and Response solutions and targeting systems that do not generally support EDR such as VMware ESXi hosts.

Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows Since early March 2025, Volexity has observed multiple suspected Russian threat actors conducting highly targeted social engineering operations aimed at gaining access to the Microsoft 365 (M365) acco...

Read Volexity’s reporting here www.volexity.com/blog/2025/04... and be sure to browse the relevant procedures, mitigations, and detections at the ATT&CK technique page: attack.mitre.org/techniques/T...

Signal is a powerful end-to-end encrypted chat app. At the end of the day, that doesn’t help at all when you’re being spearphished. In fact, the lack of visibility and detection inherent in an encrypted chat app could even potentially hurt. That’s a wrinkle requiring vigilance on all parts.

Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication Starting in mid-January 2025, Volexity identified several social-engineering and spear-phishing campaigns by Russian threat actors aimed at compromising Microsoft 365 (M365) accounts. These attack cam...

The world turns, the seasons change, but Russian threat actors targeting Microsoft 365 accounts stays the same. Earlier this year, the same actors were spotted conducting similar attacks also leveraging chat apps like Signal www.volexity.com/blog/2025/02...

This behavior maps to T1566.003 Phishing: Spearphishing via Service, a technique in which adversaries send messages through various non-enterprise controlled services in large part because they are more likely to have a less-strict security policy than an enterprise. attack.mitre.org/techniques/T...

The adversary contacts a victim via Signal or WhatsApp, invites them to a meeting, and sends them an OAuth phishing URL to join. Once the OAuth code is given up, the threat actor can access the victim’s M365 account.

Russian actors have been spotted conducting highly targeted social engineering operations aimed at gaining access to their target’s Microsoft 365 accounts.

Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows Since early March 2025, Volexity has observed multiple suspected Russian threat actors conducting highly targeted social engineering operations aimed at gaining access to the Microsoft 365 (M365) acco...

We’re currently reading Volexity’s recent report: “Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows” www.volexity.com/blog/2025/04...

🎣 Get in loser, we’re going phishing.

This week, we’re going to spotlight how Russian threat actors are phishing targets associated with Ukraine and human rights to abuse Microsoft OAuth.

Read about T1668 Exclusive Control at ATT&CK attack.mitre.org/techniques/T... and check out all of V17’s new changes here: attack.mitre.org/resources/up...

An adversary who finds a vulnerable target but wants to be the only threat actor on that machine might take similar actions like disabling vulnerable services or removing malware already on the device www.f-secure.com/v-descs/nets...

Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect | Google Cloud Blog We observed a threat actor exploiting F5, ConnectWise, and other vulnerabilities.

For this technique, we’re reading a Google report in which researchers spotted some unusual behavior by the initial access brokers UNC5174: The hackers exploited a vulnerability, gained access, and then self-patched the machine. cloud.google.com/blog/topics/...

Exclusive Control is a persistence technique in which an adversary prevents other threat actors from accessing or maintaining a foothold on the same system as them.

ATT&CK v17: New Platform (ESXi), Collection Optimization, & More Countermeasures By: Amy Robertson and Adam Pennington

Make sure you read the team’s full write up on the new version of ATT&CK including a whole new ESXi platform and updates across the board medium.com/mitre-attack...

What happens when an adversary successfully compromises a target and then “closes the door” behind them? They gain Exclusive Control, a new technique for ATT&CK v17. Let’s take a closer look: attack.mitre.org/techniques/T...