FortiTester ATT&CK DB Ver

Name ATT&CK Tactics & Techniques Status Update
get_pnpdevices Collection:
Data from Local System


Discovery:
Peripheral Device Discovery


Execution:
Execution through API


Mod
This step enumerates peripheral devices attached to the host device.
hijack_execution_flow_COR_PROFILER Persistence:
PowerShell Profile


Add
This step creates process scope environment variables to enable a .NET profiler.
impair_windows_audit_log_policy Defense Evasion:
Windows Management Instrumentation


Add
This step clears the Windows audit policy.
get_local_admin Discovery:
Permission Groups Discovery


Add
This step lists members of the local administrators group.
disable_system_restore Impact:
Inhibit System Recovery


Add
This step uses schtasks.exe to disable the System Restore scheduled task.
download_file_with_imewdbld Command and Control:
Remote File Copy


Add
This step uses IMEWDBLD.exe to download a file.
rubeus_kerberoast Credential Access:
Kerberoasting


Add
Kerberoasting all users in the current domain using rubeus.exe.
service_registry_permissions_weakness Persistence:
Service Registry Permissions Weakness


Add
This step changes service registry ImagePath of a bengin service to other file.
masquerade_service Defense Evasion:
Masquerading


Add
This step creates W32Time similar named service (win32times) using sc.exe.
get_GPP_password_dc Credential Access:
Credentials in Files


Add
This step finds the encrypted cpassword value within Group Policy Preference files on the Domain Controller.
get_GPP_password Credential Access:
Credentials in Files


Add
This step finds the encrypted cpassword value within Group Policy Preference files on the Domain Controller.
execute_javascript Execution:
Scripting


Add
This step executes JavaScript on the target machine.
execute_python Execution:
Scripting


Add
This step executes python script on the target machine.
radmin_viewer_utility Execution:
Third-party Software


Add
This step downloads Radmin Viewer Utility.
create_domain_account Persistence:
Create Account


Add
This step creates a new domain user on the target machine.
path_interception_path_environment_variable Persistence:
Path Interception


Privilege Escalation:
Path Interception


Add
This step places calc.exe in an earlier entry in the list of directories stored in the PATH environment variable and renames it to notepad.exe.
PathInterceptionSearchOrderHijacking Persistence:
Path Interception


Privilege Escalation:
Path Interception


Add
This step executes a .bat file, and there is a command in the .bat file: whoami.
portable_executable_injection Defense Evasion:
Process Injection


Privilege Escalation:
Process Injection


Add
This step injects shellcode(MessageBoxA) into PE file.
modify_code_signing_policy Defense Evasion:
Code Signing


Add
This step modifies code signing policy on the target machine.
Register-CimProvider Defense Evasion:
Signed Binary Proxy Execution


Execution:
Signed Binary Proxy Execution


Mod
This step executes arbitrary dll. Upon execution, calc.exe will be opened.
PromptUserforPassword Credential Access:
Input Prompt


Mod
This step creates GUI to prompt for password.
spearphishing_link Initial Access:
Spearphishing Link


Mod
This step simulates a phishing email, which contains a link.
spearphishing_via_service Initial Acces:
Spearphishing via Service


Add
This step simulates spearphishing via third party service.
process_injection_via_mavinject Execution:
Signed Binary Proxy Execution


Add
This step uses Windows 10 utility mavinject to inject Dlls.