FortiTester ATT&CK DB Ver

Name ATT&CK Tactics & Techniques Status Update
remove_Defender_definition_files Defense Evasion:
Disabling Security Tools


Add
This step removes definition files.
tamper_with_Defender_registry Defense Evasion:
Disabling Security Tools


Add
This step disables Windows Defender from starting after a reboot.
create_process_using_obfuscated_Win32_process Execution:
Windows Management Instrumentation


Add
This step tries to mask process creation by creating a new class that inherits from Win32_Process.
credential_dumping_with_NPPSpy Credential Access:
Credential Dumping


Add
This step changes ProviderOrder Registry Key Parameter and creates Key for NPPSpy.
spearphishing_link Initial Access:
Spearphishing Link


Add
This step simulates a phishing email, which contains a link.
spearphishing_via_service Initial Access:
Spearphishing via Service


Add
This step simulates spearphishing via third party service.
execute_remote_file_via_msiexec Execution:
Signed Binary Proxy Execution


Defense Evasion:
Signed Binary Proxy Execution


Add
This step executes arbitrary MSI file retrieved remotely.
read_volume_boot_sector Defense Evasion:
File System Logical Offsets


Add
This step uses PowerShell to open a handle on the drive volume and performs direct access read of the first few bytes of the volume.
MMC20application_com_object Execution:
Component Object Model and Distributed COM


Add
This step uses the mmc20 application com object for lateral movement.
DLP_evasion_via_VBA_macro Defense Evasion:
Obfuscated Files or Information


Add
Upon successful execution, an excel with VBA Macro containing sensitive data will be sent to the target machine.
bypass_UAC_silentcleanup Defense Evasion:
Bypass User Account Control


Privilege Escalation:
Bypass User Account Control


Add
This step bypasses UAC using SilentCleanup task.
mount_ISO_image Command and Control:
Remote File Copy


Lateral Movement:
Remote File Copy


Add
This step mounts ISO image on the target machine.
dump_credentials_from_Windows_Credential_Manager Credential Access:
Credentials in Files


Add
This step extracts the credentials from the Windows Credential Manager.
WMI_query_with_encoded_command Execution:
Windows Management Instrumentation


Add
This step creates a process using WMI query and an encoded command.
disable_UAC Defense Evasion:
Bypass User Account Control


Add
This step disables User Account Conrol.
dump_lsass_memory_xordump Credential Access:
Credential Dumping


Add
This step dumps credentials from memory using xordump.exe.
credential_dumping_with_gsecdump Credential Access:
Credential Dumping


Add
This step dumps credentials from memory using gsecdump.exe.
download_file_with_certreq Command and Control:
Remote File Copy


Add
This step uses CertReq.exe to download the file.
token_duplication Defense Evasion:
Access Token Manipulation


Privilege Escalation:
Access Token Manipulation


Add
This step uses SeDebugPrivilege to obtain, duplicate and impersonate the token of another process.
brute_force_domain_user Credential Access:
Brute Force


Add
This step attempts to map the share on one of the Domain Controllers.
xor_encoded_data Command and Control:
Data Encoding


Add
This step encodes the data with a XOR key.
execute_command_as_service Execution:
Service Execution


Add
This step creates a service specifying an aribrary command and executes it.
enumerate_COM_objects Discovery:
System Information Discovery


Add
This step finds the COM objects registered on the Windows system.
obfuscated_command_in_powershell Defense Evasion:
Obfuscated Files or Information


Add
This step runs an obfuscated PowerShell command.
powershell_XML_requests Execution:
PowerShell


Add
This step executes powershell xml request.
dump_volume_shadow_copy_hive Credential Access:
Credential Dumping


Add
This step dumps hives from volume shadow copies with the certutil utility.
dynamic_compile Defense Evasion:
Compile After Delivery


Add
This step executes the exe program containing dynamically compiled C# code.
enable_guest_account_with_RDP_and_admin_privileges Privilege Escalation:
Valid Accounts


Add
This step will enable the default guest account.