FortiTester ATT&CK DB Ver

Name ATT&CK Tactics & Techniques Status Update ATT&CK Version
Add Driver Persistence:
Boot or Logon Autostart Execution


Privilege Escalation:
Boot or Logon Autostart Execution


Add
This ability installs a built-in, already installed windows driver via pnputil.exe for testing. V10
Add File to Local Library StartupItems Persistence:
Boot or Logon Initialization Scripts: Startup Items


Privilege Escalation:
Boot or Logon Initialization Scripts: Startup Items


Add
This ability creates a file in /Library/StartupItems. V10
Clear Pagging Cache Defense Evasion:
Impair Defenses: Disable or Modify Tools


Add
This ability clears pagging cache via system request. V10
Create and Hide a Service Defense Evasion:
Hide Artifacts


Add
This ability utilizes sc.exe and sdset to change the security descriptor of a service. V10
Create HTTP Server Exfiltration:
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol


Add
This ability creates a HTTP server on port 9090. V10
Decompile Local CHM File Defense Evasion:
Signed Binary Proxy Execution: Compiled HTML File


Add
This ability uses hh.exe to decompile a local compiled HTML Help file. V10
Delete Windows Defender Scheduled Tasks Defense Evasion:
Impair Defenses: Disable or Modify Tools


Add
This ability deletes the Windows Defender scheduled tasks. V10
Disable Memory Swap Defense Evasion:
Impair Defenses: Disable or Modify Tools


Add
This ability disables swapping of device paging. V10
Enumerate Active Directory Users Discovery:
Account Discovery: Domain Account


Add
This ability utilizes ADSISearcher to enumerate users within Active Directory. V10
Enumerate Camera Information Reconnaissance:
Gather Victim Host Information: Hardware


Add
Enumerate camera info using powershell. V10
Event Viewer Registry Modification Defense Evasion:
Modify Registry


Add
This ability modifies event viewer registry values to alter the behavior of the online help redirection. V10
Execute Local MSI file with an embedded EXE Defense Evasion:
Signed Binary Proxy Execution: Msiexec


Add
This ability executes an MSI containing an embedded EXE using the WMI Win32_Product class. V10
Export the Local Security Policy via SecEdit.exe Discovery:
Password Policy Discovery


Add
This ability uses SecEdit.exe to export the current local security policy applied to a host. V10
Hide Files Through Registry Defense Evasion:
Hide Artifacts: Hidden Files and Directories


Add
Disable Show Hidden files switch in registry. V10
HTML Smuggling Remote Payload Defense Evasion:
Obfuscated Files or Information: HTML Smuggling


Add
This ability opens the HTML file in the default browser, and then the iso file will be downloaded automatically. V10
List Google Chrome Bookmark Files on MacOS Discovery:
Browser Bookmark Discovery


Add
This ability searches for Google Chrome Bookmark file. V10
LNK Payload Download Execution:
User Execution: Malicious File


Add
This step executes the lnk file, which invokes powershell to download putty from the Internet and open it. V10
Logon Scripts on Mac Persistence:
Boot or Logon Initialization Scripts: Login Hook


Privilege Escalation:
Boot or Logon Initialization Scripts: Login Hook


Add
This ability creates a plist file that points to a specific script to execute with root privileges upon user logon. V10
Loot local Wifi Credentials Credential Access:
Credentials from Password Stores


Add
This ability dumps keys in clear text for saved WLAN profiles. V10
Obfuscated Command Line Scripts Execution:
Command and Scripting Interpreter: Unix Shell


Add
Obfuscated Command Line Scripts. V10
Persistence using Windows Print Processors Persistence:
Boot or Logon Autostart Execution: Print Processors


Privilege Escalation:
Boot or Logon Autostart Execution: Print Processors


Add
This ability registers the dll as an alternative Print Processor by setting registry values. V10
Printer Check Discovery:
Peripheral Device Discovery


Add
This step finds the printer and checks for related vulnerabilities. V10
RDP hijacking Lateral Movement:
Remote Service Session Hijacking: RDP Hijacking


Add
A SYSTEM account uses RDP to move laterally across the network without credentials. V10
Scheduled Task with At Privilege Escalation:
Scheduled Task/Job: At


Persistence:
Scheduled Task/Job: At


Execution:
Scheduled Task/Job: At


Add
This ability scheduling tasks at a specified time. V10
Share Discovery Discovery:
Network Share Discovery


Add
This ability enumerates Domain Shares the current user has access. V10
Simulate CPU Load with Yes Impact:
Resource Hijacking


Add
This ability simulates a high CPU load as you might observe during cryptojacking attacks. V10
System Scope COR_PROFILER Persistence:
Hijack Execution Flow: COR_PROFILER


Privilege Escalation:
Hijack Execution Flow: COR_PROFILER


Defense Evasion:
Hijack Execution Flow: COR_PROFILER


Add
This ability creates system scope environment variables. V10
System Shell Profile Scripts Persistence:
Event Triggered Execution: Unix Shell Configuration Modification


Privilege Escalation:
Event Triggered Execution: Unix Shell Configuration Modification


Add
This ability establishes persistence by adding commands to the script file in a specified directory. V10
TinyTurla Backdoor Service Persistence:
Create or Modify System Process: Windows Service


Privilege Escalation:
Create or Modify System Process: Windows Service


Add
This ability runs the Dll as a service to emulate the TinyTurla backdoor. V10
WMIObject Group Discovery Discovery:
Permission Groups Discovery: Local Groups


Add
This ability enumerates local groups on the target machine. V10
Process Injection via mavinject.exe Defense Evasion:
Impair Defenses: Disable Windows Event Logging , System Binary Proxy Execution: Mavinject


Privilege Escalation:
Impair Defenses: Disable Windows Event Logging


Mod
Windows 10 Utility mavinject.exe To Inject DLLS. V10