FortiTester ATT&CK Database Version

Name ATT&CK Tactics & Techniques Status Update
unrecoverable_deleted_file Impact:
Data Destruction


Add
This step creates a file, and then uses Sysinternals SDelete to overwrite and delete the file.
disable_windows_recovery_console_repair Impact:
Inhibit System Recovery


Add
This step disables repair by the Windows Recovery Console on boot. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
browser_bookmark_discovery Discovery:
Browser Bookmark Discovery


Add
This step searches for Chrome/Edge/Firefox's bookmarks file that contains bookmarks. Upon execution, paths that contain bookmark files will be displayed.
download_file_with_mpcmdrun Command and Control:
Remote File Copy


Add
This step uses the Windows Defender MpCmdRun.exe to download file from the internet.
download_file_with_bitsadmin Command and Control:
Remote File Copy


Add
This step uses bitsadmin.exe to schedule a BITS job for the download of a file.
download_file_with_certutil Command and Control:
Remote File Copy


Add
This step uses certutil.exe to download a file from the web.
AMSI_bypass Defense Evasion:
Disabling Security Tools


Mod
With administrative rights, an adversary can remove the AMSI Provider registry key in "HKLM\Software\Microsoft\AMSI" to disable AMSI inspection. This step removes the Windows Defender provider registry key. Upon execution, no output is displayed.
AppCert_Dlls Persistence:
AppCert DLLs


Privilege Escalation:
AppCert DLLs


Mod
Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager" are loaded into every process that calls the ubiquitously used application programming interface (API) functions. Upon execution, a message box will pop up.
COM_hijacking Defense Evasion:
Component Object Model Hijacking


Persistence:
Component Object Model Hijacking


Mod
This step hijacks a COM object by replacing a reference to a legitimate system component in the Windows Registry. When that system component is executed through normal system operation, the adversary's code(open calc.exe) will be executed instead.
dll_search_order_hijacking Persistence:
DLL Search Order Hijacking


Privilege Escalation:
DLL Search Order Hijacking


Defense Evasion:
DLL Search Order Hijacking


Mod
This step will replace amsi.dll with a malicious dll. Malicious dll will be loaded (open calc.exe)when running powershell.exe. (original name is DLL_search_order_hijacking)
Winlogon_helper_dll Persistence:
Winlogon Helper DLL


Mod
This step sets Winlogon shell key to execute cmd.exe at logon along with explorer.exe. Upon successful execution, cmd.exe will be executed at logon/logoff. (original name is Winlogon_helper_DLL)
dll_side_loading Defense Evasion:
DLL Side-Loading


Mod
GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to dll side-loading. This step executes the DLL to open calc.exe on the target machine. (original name is DLL_side_loading)
OpenSSL_C2 Command and Control:
Standard Cryptographic Protocol


Mod
This step starts a C2 session using an SSL socket on the target machine.
powershell_profile Persistence:
PowerShell Profile


Privilege Escalation:
PowerShell Profile


Mod
This step adds some code at the end of powershell profile to open calc.exe. Every time a user opens a PowerShell session, the code will be executed unless the -NoProfile flag is used when it is launched.
PubPrn Execution:
Signed Script Proxy Execution


Defense Evasion:
Signed Script Proxy Execution


Mod
This step executes the signed PubPrn.vbs script with options to execute a payload(open calc.exe).
RDP_hijacking_with_tscon Lateral Movement:
Remote Desktop Protocol


Mod
In this step, a SYSTEM account uses RDP to move laterally across the network without credentials.
automated_exfiltration Exfiltration:
Automated Exfiltration


Mod
This step automatically exfiltrates collected files via removable media.
clear_windows_event_logs Defense Evasion:
Indicator Removal on Host


Mod
This step clears windows event log on the target machine(the cleared log can not be recovered).
compile_after_delivery Defense Evasion:
Compile After Delivery


Mod
Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. This step compiles C# code using csc.exe binary used by .NET.
compiled_HTML_file Execution:
Compiled HTML File


Defense Evasion:
Compiled HTML File


Mod
This step uses hh.exe to execute a local compiled HTML Help payload(open calc.exe).
copy_to_removable_media Initial Access:
Replication Through Removable Media


Lateral Movement:
Replication Through Removable Media


Mod
This step copies the malicious file (using calc.exe instead of the malicious file) to removable media and hides it, and then generates a shortcut to the malicious file. This shortcut pretends to be an .exe file that originally exists on removable media(same name, same icon) and hides the .exe file. Tempt users to execute this shortcut on a separate system.
execute_by_DDE Execution:
Dynamic Data Exchange


Mod
This step copies the file to the target machine. Once the .docx file is launched and the victim accepts 2 prompts, calc.exe will pop up.
bypass_UAC_eventviewer Privilege Escalation:
Bypass User Account Control


Defense Evasion:
Bypass User Account Control


Mod
This step bypasses User Account Control using Event Viewer and a relevant Windows Registry modification. (original name is bypass_UAC)
indirect_command_execution_pcalua Defense Evasion:
Indirect Command Execution


Mod
This step executes the command (calc.exe) from the Program Compatibility Assistant (pcalua.exe) on the target machine. (original name is indirect_command_execution)
indicator_removal_using_fsutil Defense Evasion:
Indicator Removal on Host


Mod
Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume. Upon execution, no output will be displayed. (original name is indicator_removal_using_FSUtil)