Refine SearchFortiTester ATT&CK Database Version
| Name | ATT&CK Tactics & Techniques | Status | Update |
|---|---|---|---|
| unrecoverable_deleted_file |
Impact: Data Destruction |
Add
|
This step creates a file, and then uses Sysinternals SDelete to overwrite and delete the file. |
| disable_windows_recovery_console_repair |
Impact: Inhibit System Recovery |
Add
|
This step disables repair by the Windows Recovery Console on boot. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. |
| browser_bookmark_discovery |
Discovery: Browser Bookmark Discovery |
Add
|
This step searches for Chrome/Edge/Firefox's bookmarks file that contains bookmarks. Upon execution, paths that contain bookmark files will be displayed. |
| download_file_with_mpcmdrun |
Command and Control: Remote File Copy |
Add
|
This step uses the Windows Defender MpCmdRun.exe to download file from the internet. |
| download_file_with_bitsadmin |
Command and Control: Remote File Copy |
Add
|
This step uses bitsadmin.exe to schedule a BITS job for the download of a file. |
| download_file_with_certutil |
Command and Control: Remote File Copy |
Add
|
This step uses certutil.exe to download a file from the web. |
| AMSI_bypass |
Defense Evasion: Disabling Security Tools |
Mod
|
With administrative rights, an adversary can remove the AMSI Provider registry key in "HKLM\Software\Microsoft\AMSI" to disable AMSI inspection. This step removes the Windows Defender provider registry key. Upon execution, no output is displayed. |
| AppCert_Dlls |
Persistence: AppCert DLLs Privilege Escalation: AppCert DLLs |
Mod
|
Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager" are loaded into every process that calls the ubiquitously used application programming interface (API) functions. Upon execution, a message box will pop up. |
| COM_hijacking |
Defense Evasion: Component Object Model Hijacking Persistence: Component Object Model Hijacking |
Mod
|
This step hijacks a COM object by replacing a reference to a legitimate system component in the Windows Registry. When that system component is executed through normal system operation, the adversary's code(open calc.exe) will be executed instead. |
| dll_search_order_hijacking |
Persistence: DLL Search Order Hijacking Privilege Escalation: DLL Search Order Hijacking Defense Evasion: DLL Search Order Hijacking |
Mod
|
This step will replace amsi.dll with a malicious dll. Malicious dll will be loaded (open calc.exe)when running powershell.exe. (original name is DLL_search_order_hijacking) |
| Winlogon_helper_dll |
Persistence: Winlogon Helper DLL |
Mod
|
This step sets Winlogon shell key to execute cmd.exe at logon along with explorer.exe. Upon successful execution, cmd.exe will be executed at logon/logoff. (original name is Winlogon_helper_DLL) |
| dll_side_loading |
Defense Evasion: DLL Side-Loading |
Mod
|
GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to dll side-loading. This step executes the DLL to open calc.exe on the target machine. (original name is DLL_side_loading) |
| OpenSSL_C2 |
Command and Control: Standard Cryptographic Protocol |
Mod
|
This step starts a C2 session using an SSL socket on the target machine. |
| powershell_profile |
Persistence: PowerShell Profile Privilege Escalation: PowerShell Profile |
Mod
|
This step adds some code at the end of powershell profile to open calc.exe. Every time a user opens a PowerShell session, the code will be executed unless the -NoProfile flag is used when it is launched. |
| PubPrn |
Execution: Signed Script Proxy Execution Defense Evasion: Signed Script Proxy Execution |
Mod
|
This step executes the signed PubPrn.vbs script with options to execute a payload(open calc.exe). |
| RDP_hijacking_with_tscon |
Lateral Movement: Remote Desktop Protocol |
Mod
|
In this step, a SYSTEM account uses RDP to move laterally across the network without credentials. |
| automated_exfiltration |
Exfiltration: Automated Exfiltration |
Mod
|
This step automatically exfiltrates collected files via removable media. |
| clear_windows_event_logs |
Defense Evasion: Indicator Removal on Host |
Mod
|
This step clears windows event log on the target machine(the cleared log can not be recovered). |
| compile_after_delivery |
Defense Evasion: Compile After Delivery |
Mod
|
Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. This step compiles C# code using csc.exe binary used by .NET. |
| compiled_HTML_file |
Execution: Compiled HTML File Defense Evasion: Compiled HTML File |
Mod
|
This step uses hh.exe to execute a local compiled HTML Help payload(open calc.exe). |
| copy_to_removable_media |
Initial Access: Replication Through Removable Media Lateral Movement: Replication Through Removable Media |
Mod
|
This step copies the malicious file (using calc.exe instead of the malicious file) to removable media and hides it, and then generates a shortcut to the malicious file. This shortcut pretends to be an .exe file that originally exists on removable media(same name, same icon) and hides the .exe file. Tempt users to execute this shortcut on a separate system. |
| execute_by_DDE |
Execution: Dynamic Data Exchange |
Mod
|
This step copies the file to the target machine. Once the .docx file is launched and the victim accepts 2 prompts, calc.exe will pop up. |
| bypass_UAC_eventviewer |
Privilege Escalation: Bypass User Account Control Defense Evasion: Bypass User Account Control |
Mod
|
This step bypasses User Account Control using Event Viewer and a relevant Windows Registry modification. (original name is bypass_UAC) |
| indirect_command_execution_pcalua |
Defense Evasion: Indirect Command Execution |
Mod
|
This step executes the command (calc.exe) from the Program Compatibility Assistant (pcalua.exe) on the target machine. (original name is indirect_command_execution) |
| indicator_removal_using_fsutil |
Defense Evasion: Indicator Removal on Host |
Mod
|
Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume. Upon execution, no output will be displayed. (original name is indicator_removal_using_FSUtil) |