Skip to main content

Mitre recently completed their first ATT&CK Evaluation specifically for Managed Detection and Response (MDR) vendors. Unlike many past ATT&CK Evaluations where participants were aware of the adversary Tactics, Techniques and Procedures (TTPs), this one was run as a “Black Box”, meaning participants didn’t have advanced notice on the adversary TTPs that they would be faced to defend. In this evaluation, MITRE leveraged the TTPs of OilRig, an Iranian threat group, believed to be state sponsored in funding and research by the Islamic Republic of Iran.

OilRig Associated Threat Groups:

  • APT34
  • Helix Kitten
  • IRN2

Targeted Industries:

  • Financial
  • Government
  • Energy
  • Chemical
  • Telecommunications

ATT&CK Evaluation Operational Flow:

ATT&CK Evaluation Payloads:

  • SideTwist
  • RDAT
  • Mimikatz
  • TwoFace

Techniques used


Most Common Missed Substeps Across all Vendors

Total Substep Detections by MDR Vendor

Total Substep Misses by MDR Vendor

Vendors Using Microsoft Defender for Endpoint Compared

  • Atos
  • CriticalStart
  • Microsoft
  • Red Canary

Vendors using SentinelOne Compared

  • Open Text
  • SentinelOne

Vendors using Palo Alto Cortex Compared

  • Palo Alto Networks

The Highest in MDR Detections: Crowdstrike