FortiTester ATT&CK Database Version

Name ATT&CK Tactics & Techniques Status Update
create_ADS Defense Evasion:
NTFS File Attributes


Add
This step creates an Alternate Data Stream with the command prompt on the target machine.
execute_powerShell_from_windows_registry Defense Evasion:
Obfuscated Files or Information


Add
This step stores base64-encoded PowerShell code(Write-Host "Hi, FortiTester!") in the Windows Registry and deobfuscates it for execution.Upon successful execution, powershell will execute encoded command.
PubPrn Defense Evasion:
Obfuscated Files or Information


Add
This step executes the signed PubPrn.vbs script with options to download and execute an arbitrary payload. This step may not work in some newer Windows versions.
regsvcs Defense Evasion:
Regsvcs/Regasm


Execution:
Regsvcs/Regasm


Add
This step executes dll to open calc.exe via Regsvcs.exe on the target machine.
regsvr32_local_dll_execution Defense Evasion:
Regsvr32


Execution:
Regsvr32


Add
Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe can be used to execute arbitrary binaries. This step opens calc.exe by executing a local dll via Regsvr32.exe.
regsvr32_remote_COM_scriptlet_execution Defense Evasion:
Regsvr32


Execution:
Regsvr32


Add
Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe can be used to execute arbitrary binaries. This step opens calc.exe by executing a remote COM scriptlet via Regsvr32.exe.
file_extension_masquerading Defense Evasion:
Masquerading


Add
This step executes a file masquerading as Office files. Upon execution a calc instances will be launched.
rundll32_execute_Vbscript Defense Evasion:
Rundll32


Execution:
Rundll32


Add
This step uses rundll32.exe and VBscript to execute commands. Upon execution calc.exe will be launched.
rundll32_advpack_execution Defense Evasion:
Rundll32


Execution:
Rundll32


Add
This step test execution of a command using rundll32.exe with advpack.dll. Upon execution calc.exe will be launched.
attaches_cmd_as_debugger Persistence:
Accessibility Features


Privilege Escalation:
Accessibility Features


Add
This step attaches cmd.exe to a list of processes. Upon successful execution, powershell will modify the registry and swap executables with cmd.exe.
regasm Execution:
Regsvcs/Regasm


Defense Evasion:
Regsvcs/Regasm


Mod
This step executes dll to open calc.exe via Regasm.exe on the target machine.