Refine SearchFortiTester ATT&CK DB Ver
| Name | ATT&CK Tactics & Techniques | Status | Update | ATT&CK Version |
|---|---|---|---|---|
| Add Driver |
Persistence: Boot or Logon Autostart Execution Privilege Escalation: Boot or Logon Autostart Execution |
Add
|
This ability installs a built-in, already installed windows driver via pnputil.exe for testing. | V10 |
| Add File to Local Library StartupItems |
Persistence: Boot or Logon Initialization Scripts: Startup Items Privilege Escalation: Boot or Logon Initialization Scripts: Startup Items |
Add
|
This ability creates a file in /Library/StartupItems. | V10 |
| Clear Pagging Cache |
Defense Evasion: Impair Defenses: Disable or Modify Tools |
Add
|
This ability clears pagging cache via system request. | V10 |
| Create and Hide a Service |
Defense Evasion: Hide Artifacts |
Add
|
This ability utilizes sc.exe and sdset to change the security descriptor of a service. | V10 |
| Create HTTP Server |
Exfiltration: Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol |
Add
|
This ability creates a HTTP server on port 9090. | V10 |
| Decompile Local CHM File |
Defense Evasion: Signed Binary Proxy Execution: Compiled HTML File |
Add
|
This ability uses hh.exe to decompile a local compiled HTML Help file. | V10 |
| Delete Windows Defender Scheduled Tasks |
Defense Evasion: Impair Defenses: Disable or Modify Tools |
Add
|
This ability deletes the Windows Defender scheduled tasks. | V10 |
| Disable Memory Swap |
Defense Evasion: Impair Defenses: Disable or Modify Tools |
Add
|
This ability disables swapping of device paging. | V10 |
| Enumerate Active Directory Users |
Discovery: Account Discovery: Domain Account |
Add
|
This ability utilizes ADSISearcher to enumerate users within Active Directory. | V10 |
| Enumerate Camera Information |
Reconnaissance: Gather Victim Host Information: Hardware |
Add
|
Enumerate camera info using powershell. | V10 |
| Event Viewer Registry Modification |
Defense Evasion: Modify Registry |
Add
|
This ability modifies event viewer registry values to alter the behavior of the online help redirection. | V10 |
| Execute Local MSI file with an embedded EXE |
Defense Evasion: Signed Binary Proxy Execution: Msiexec |
Add
|
This ability executes an MSI containing an embedded EXE using the WMI Win32_Product class. | V10 |
| Export the Local Security Policy via SecEdit.exe |
Discovery: Password Policy Discovery |
Add
|
This ability uses SecEdit.exe to export the current local security policy applied to a host. | V10 |
| Hide Files Through Registry |
Defense Evasion: Hide Artifacts: Hidden Files and Directories |
Add
|
Disable Show Hidden files switch in registry. | V10 |
| HTML Smuggling Remote Payload |
Defense Evasion: Obfuscated Files or Information: HTML Smuggling |
Add
|
This ability opens the HTML file in the default browser, and then the iso file will be downloaded automatically. | V10 |
| List Google Chrome Bookmark Files on MacOS |
Discovery: Browser Bookmark Discovery |
Add
|
This ability searches for Google Chrome Bookmark file. | V10 |
| LNK Payload Download |
Execution: User Execution: Malicious File |
Add
|
This step executes the lnk file, which invokes powershell to download putty from the Internet and open it. | V10 |
| Logon Scripts on Mac |
Persistence: Boot or Logon Initialization Scripts: Login Hook Privilege Escalation: Boot or Logon Initialization Scripts: Login Hook |
Add
|
This ability creates a plist file that points to a specific script to execute with root privileges upon user logon. | V10 |
| Loot local Wifi Credentials |
Credential Access: Credentials from Password Stores |
Add
|
This ability dumps keys in clear text for saved WLAN profiles. | V10 |
| Obfuscated Command Line Scripts |
Execution: Command and Scripting Interpreter: Unix Shell |
Add
|
Obfuscated Command Line Scripts. | V10 |
| Persistence using Windows Print Processors |
Persistence: Boot or Logon Autostart Execution: Print Processors Privilege Escalation: Boot or Logon Autostart Execution: Print Processors |
Add
|
This ability registers the dll as an alternative Print Processor by setting registry values. | V10 |
| Printer Check |
Discovery: Peripheral Device Discovery |
Add
|
This step finds the printer and checks for related vulnerabilities. | V10 |
| RDP hijacking |
Lateral Movement: Remote Service Session Hijacking: RDP Hijacking |
Add
|
A SYSTEM account uses RDP to move laterally across the network without credentials. | V10 |
| Scheduled Task with At |
Privilege Escalation: Scheduled Task/Job: At Persistence: Scheduled Task/Job: At Execution: Scheduled Task/Job: At |
Add
|
This ability scheduling tasks at a specified time. | V10 |
| Share Discovery |
Discovery: Network Share Discovery |
Add
|
This ability enumerates Domain Shares the current user has access. | V10 |
| Simulate CPU Load with Yes |
Impact: Resource Hijacking |
Add
|
This ability simulates a high CPU load as you might observe during cryptojacking attacks. | V10 |
| System Scope COR_PROFILER |
Persistence: Hijack Execution Flow: COR_PROFILER Privilege Escalation: Hijack Execution Flow: COR_PROFILER Defense Evasion: Hijack Execution Flow: COR_PROFILER |
Add
|
This ability creates system scope environment variables. | V10 |
| System Shell Profile Scripts |
Persistence: Event Triggered Execution: Unix Shell Configuration Modification Privilege Escalation: Event Triggered Execution: Unix Shell Configuration Modification |
Add
|
This ability establishes persistence by adding commands to the script file in a specified directory. | V10 |
| TinyTurla Backdoor Service |
Persistence: Create or Modify System Process: Windows Service Privilege Escalation: Create or Modify System Process: Windows Service |
Add
|
This ability runs the Dll as a service to emulate the TinyTurla backdoor. | V10 |
| WMIObject Group Discovery |
Discovery: Permission Groups Discovery: Local Groups |
Add
|
This ability enumerates local groups on the target machine. | V10 |
| Process Injection via mavinject.exe |
Defense Evasion: Impair Defenses: Disable Windows Event Logging , System Binary Proxy Execution: Mavinject Privilege Escalation: Impair Defenses: Disable Windows Event Logging |
Mod
|
Windows 10 Utility mavinject.exe To Inject DLLS. | V10 |