Refine SearchFortiTester ATT&CK DB Ver
| Name | ATT&CK Tactics & Techniques | Status | Update |
|---|---|---|---|
| get_pnpdevices |
Collection: Data from Local System Discovery: Peripheral Device Discovery Execution: Execution through API |
Mod
|
This step enumerates peripheral devices attached to the host device. |
| hijack_execution_flow_COR_PROFILER |
Persistence: PowerShell Profile |
Add
|
This step creates process scope environment variables to enable a .NET profiler. |
| impair_windows_audit_log_policy |
Defense Evasion: Windows Management Instrumentation |
Add
|
This step clears the Windows audit policy. |
| get_local_admin |
Discovery: Permission Groups Discovery |
Add
|
This step lists members of the local administrators group. |
| disable_system_restore |
Impact: Inhibit System Recovery |
Add
|
This step uses schtasks.exe to disable the System Restore scheduled task. |
| download_file_with_imewdbld |
Command and Control: Remote File Copy |
Add
|
This step uses IMEWDBLD.exe to download a file. |
| rubeus_kerberoast |
Credential Access: Kerberoasting |
Add
|
Kerberoasting all users in the current domain using rubeus.exe. |
| service_registry_permissions_weakness |
Persistence: Service Registry Permissions Weakness |
Add
|
This step changes service registry ImagePath of a bengin service to other file. |
| masquerade_service |
Defense Evasion: Masquerading |
Add
|
This step creates W32Time similar named service (win32times) using sc.exe. |
| get_GPP_password_dc |
Credential Access: Credentials in Files |
Add
|
This step finds the encrypted cpassword value within Group Policy Preference files on the Domain Controller. |
| get_GPP_password |
Credential Access: Credentials in Files |
Add
|
This step finds the encrypted cpassword value within Group Policy Preference files on the Domain Controller. |
| execute_javascript |
Execution: Scripting |
Add
|
This step executes JavaScript on the target machine. |
| execute_python |
Execution: Scripting |
Add
|
This step executes python script on the target machine. |
| radmin_viewer_utility |
Execution: Third-party Software |
Add
|
This step downloads Radmin Viewer Utility. |
| create_domain_account |
Persistence: Create Account |
Add
|
This step creates a new domain user on the target machine. |
| path_interception_path_environment_variable |
Persistence: Path Interception Privilege Escalation: Path Interception |
Add
|
This step places calc.exe in an earlier entry in the list of directories stored in the PATH environment variable and renames it to notepad.exe. |
| PathInterceptionSearchOrderHijacking |
Persistence: Path Interception Privilege Escalation: Path Interception |
Add
|
This step executes a .bat file, and there is a command in the .bat file: whoami. |
| portable_executable_injection |
Defense Evasion: Process Injection Privilege Escalation: Process Injection |
Add
|
This step injects shellcode(MessageBoxA) into PE file. |
| modify_code_signing_policy |
Defense Evasion: Code Signing |
Add
|
This step modifies code signing policy on the target machine. |
| Register-CimProvider |
Defense Evasion: Signed Binary Proxy Execution Execution: Signed Binary Proxy Execution |
Mod
|
This step executes arbitrary dll. Upon execution, calc.exe will be opened. |
| PromptUserforPassword |
Credential Access: Input Prompt |
Mod
|
This step creates GUI to prompt for password. |
| spearphishing_link |
Initial Access: Spearphishing Link |
Mod
|
This step simulates a phishing email, which contains a link. |
| spearphishing_via_service |
Initial Acces: Spearphishing via Service |
Add
|
This step simulates spearphishing via third party service. |
| process_injection_via_mavinject |
Execution: Signed Binary Proxy Execution |
Add
|
This step uses Windows 10 utility mavinject to inject Dlls. |