Refine SearchFortiTester ATT&CK DB Ver
| Name | ATT&CK Tactics & Techniques | Status | Update |
|---|---|---|---|
| remove_Defender_definition_files |
Defense Evasion: Disabling Security Tools |
Add
|
This step removes definition files. |
| tamper_with_Defender_registry |
Defense Evasion: Disabling Security Tools |
Add
|
This step disables Windows Defender from starting after a reboot. |
| create_process_using_obfuscated_Win32_process |
Execution: Windows Management Instrumentation |
Add
|
This step tries to mask process creation by creating a new class that inherits from Win32_Process. |
| credential_dumping_with_NPPSpy |
Credential Access: Credential Dumping |
Add
|
This step changes ProviderOrder Registry Key Parameter and creates Key for NPPSpy. |
| spearphishing_link |
Initial Access: Spearphishing Link |
Add
|
This step simulates a phishing email, which contains a link. |
| spearphishing_via_service |
Initial Access: Spearphishing via Service |
Add
|
This step simulates spearphishing via third party service. |
| execute_remote_file_via_msiexec |
Execution: Signed Binary Proxy Execution Defense Evasion: Signed Binary Proxy Execution |
Add
|
This step executes arbitrary MSI file retrieved remotely. |
| read_volume_boot_sector |
Defense Evasion: File System Logical Offsets |
Add
|
This step uses PowerShell to open a handle on the drive volume and performs direct access read of the first few bytes of the volume. |
| MMC20application_com_object |
Execution: Component Object Model and Distributed COM |
Add
|
This step uses the mmc20 application com object for lateral movement. |
| DLP_evasion_via_VBA_macro |
Defense Evasion: Obfuscated Files or Information |
Add
|
Upon successful execution, an excel with VBA Macro containing sensitive data will be sent to the target machine. |
| bypass_UAC_silentcleanup |
Defense Evasion: Bypass User Account Control Privilege Escalation: Bypass User Account Control |
Add
|
This step bypasses UAC using SilentCleanup task. |
| mount_ISO_image |
Command and Control: Remote File Copy Lateral Movement: Remote File Copy |
Add
|
This step mounts ISO image on the target machine. |
| dump_credentials_from_Windows_Credential_Manager |
Credential Access: Credentials in Files |
Add
|
This step extracts the credentials from the Windows Credential Manager. |
| WMI_query_with_encoded_command |
Execution: Windows Management Instrumentation |
Add
|
This step creates a process using WMI query and an encoded command. |
| disable_UAC |
Defense Evasion: Bypass User Account Control |
Add
|
This step disables User Account Conrol. |
| dump_lsass_memory_xordump |
Credential Access: Credential Dumping |
Add
|
This step dumps credentials from memory using xordump.exe. |
| credential_dumping_with_gsecdump |
Credential Access: Credential Dumping |
Add
|
This step dumps credentials from memory using gsecdump.exe. |
| download_file_with_certreq |
Command and Control: Remote File Copy |
Add
|
This step uses CertReq.exe to download the file. |
| token_duplication |
Defense Evasion: Access Token Manipulation Privilege Escalation: Access Token Manipulation |
Add
|
This step uses SeDebugPrivilege to obtain, duplicate and impersonate the token of another process. |
| brute_force_domain_user |
Credential Access: Brute Force |
Add
|
This step attempts to map the share on one of the Domain Controllers. |
| xor_encoded_data |
Command and Control: Data Encoding |
Add
|
This step encodes the data with a XOR key. |
| execute_command_as_service |
Execution: Service Execution |
Add
|
This step creates a service specifying an aribrary command and executes it. |
| enumerate_COM_objects |
Discovery: System Information Discovery |
Add
|
This step finds the COM objects registered on the Windows system. |
| obfuscated_command_in_powershell |
Defense Evasion: Obfuscated Files or Information |
Add
|
This step runs an obfuscated PowerShell command. |
| powershell_XML_requests |
Execution: PowerShell |
Add
|
This step executes powershell xml request. |
| dump_volume_shadow_copy_hive |
Credential Access: Credential Dumping |
Add
|
This step dumps hives from volume shadow copies with the certutil utility. |
| dynamic_compile |
Defense Evasion: Compile After Delivery |
Add
|
This step executes the exe program containing dynamically compiled C# code. |
| enable_guest_account_with_RDP_and_admin_privileges |
Privilege Escalation: Valid Accounts |
Add
|
This step will enable the default guest account. |