diff --git a/nursery/hash-data-using-whirlpool.yml b/nursery/hash-data-using-whirlpool.yml
index 73a64829b..81342bcec 100644
--- a/nursery/hash-data-using-whirlpool.yml
+++ b/nursery/hash-data-using-whirlpool.yml
@@ -5,6 +5,10 @@ rule:
     authors:
       - william.ballenthin@mandiant.com
     scope: function
+    att&ck:
+      - Defense Evasion::Obfuscated Files or Information [T1027]
+    mbc:
+      - Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm [E1027.m05]
     references:
       - https://github.com/jzelinskie/whirlpool/blob/master/const.go
     #examples: