Becoming a Dark Knight: Adversary Emulation Demonstration for ATT&CK Evaluations

Thursday, March 21, 2024

2:00 - 3:00 PM EST

60 minutes, including Q&A

Batman once said, "you either die a hero or live long enough to see yourself become the villain." What if there was a way to become a cyber villain for the greater good? For the last 5 years, the MITRE ATT&CK Evaluations team has been improving the industry by "becoming the villain." We study some of the world's most advanced threat actors, develop a scenario, build malware and tools, then execute the operations against major EDR vendors. And the best part? Not only do we get the business justification of becoming a villain to advance defenders, but our code is also open-sourced.

Using a Latin American APT as our real-world villain, this talk will showcase how to merge CTI and red development capabilities for adversary emulation.

First, our cyber threat intelligence team (CTI) demonstrates how to evaluate reports with the sufficient technical data needed to emulate the adversary's usage of particular techniques. We will build a scenario, create CTI diagrams based on our analysis, address gaps in data, and create alternative attack methods for the red team.

Next, the red team enters the scene to collaborate with the CTI team. They begin building malware, tools, and infrastructure. Translating approved open-source CTI reporting into code, we will walk through process injection, persistence, hands-on-keyboard discovery, and lateral movement for the emulation. Finally, it is time to launch the attack and see how our defenders respond, discern where to search for clues, and help them uncover our plot.

To coincide with this presentation, our code, research, and emulation plans will be publicly released. We hope this empowers the community to use our "become the villain" methodology to improve defenses. Helping defenders discern where to look for our footprints is how we justify our villainous acts.

Sponsored by:



Cat Self

Principal Adversary Emulation Engineer


Cat Self is an Adversary Emulation Engineer for MITRE ATT&CK® Evaluations, macOS/Linux Lead for ATT&CK® and serves as a leader of people at MITRE. Cat started her cyber security career at Target and has worked as a developer, internal red team engineer, and threat hunter. Cat is a former military intelligence veteran and pays it forward through mentorship, blogging, and public speaking. Outside of work, she is often planning an epic adventure, climbing mountains in foreign lands, or learning Chinese.

Kate Esprit

Senior Cyber Threat Intelligence Analyst


Kate Esprit is a Senior Cyber Threat Intelligence Analyst at MITRE and is the author of the Phishing for Answers cybersecurity blog. With over 7 years of experience in information security, Kate's career highlights include: combatting misinformation at Facebook/Meta, dispatching aircrafts for emergency evacuations during Hurricane Maria, and working for Amnesty International in Argentina. She specializes in Latin American affairs and speaks Spanish and Portuguese. Outside of work, Kate is usually practicing her salsa dancing moves or baking delicious treats. You can follow Kate on Twitter @phish4answers

Frank Cotto

Principal Solutions Architect

Progress Software

Frank Cotto is a Principal Solutions Architect with Progress Software. Frank started his career in customer support with Kemp Technologies where he transitioned into Enterprise Engineering and later sales engineering. Frank works closely with customers, partners, and product management to architect solutions, evangelize Progress product use cases, and provide key insights around market needs. Today, Frank supports Progress's infrastructure monitoring and management product suite consisting of industry leading application delivery controllers, network detection & response solutions, and infrastructure, network, & application monitoring solutions.

Steve Paul


Black Hat

Sustaining Partners