FortiTester ATT&CK DB Ver

Name ATT&CK Tactics & Techniques Status Update
timestomp_a_file Defense Evasion:
Timestomp


Add
This step timestomp a file on the target machine.
remove_zoneidentifier_ADS Command and Control:
Remote File Copy


Lateral Movement:
Remote File Copy


Add
This step Rremoves the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.
port_scan_nmap Discovery:
Network Service Scanning


Add
This step uses Nmap to scan the port to check the listening port.
password_cracking_with_hashcat Credential Access:
Brute Force


Add
This step executes Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against.
obfuscated_command_in_cmd Defense Evasion:
Obfuscated Files or Information


Add
This step uses an obfuscated certutil command to download files from the Web.
named_pipe_client_impersonation Privilege Escalation:
Access Token Manipulation


Defense Evasion:
Access Token Manipulation


Add
This step creates a named pipe, and a service that writes to that named pipe.
msxsl_bypass_remote Execution:
XSL Script Processing


Defense Evasion:
XSL Script Processing


Add
This step executes the code specified within a XSL script tag during XSL transformation using a remote payload.
mimikatz_dcsync Credential Access:
Credential Dumping


Add
Works against a remote Windows Domain Controller using the replication protocol.
launches_executable_using_rundll32_and_pcwutl Execution:
Rundll32


Defense Evasion:
Rundll32


Add
This step creates W32Time similar named service (win32times) using sc.exe.
get_SPNs Credential Access:
Kerberoasting


Add
This step will utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer.
exfiltration_by_configsecuritypolicy Exfiltration:
Exfiltration Over Other Network Medium


Add
Exfiltration of data using ConfigSecurityPolicy.exe.
code_executed_via_xll_file Persistence:
Office Application Startup


Add
This step loads a XLL file using the excel add-ins library. This causes excel to display the message (Hello World).
process_enumeration Execution:
Windows Management Instrumentation


Mod
This step uses WMIC to capture process id, executable path, pid and parent pid on the target machine.
Register-CimProvider Execution:
Signed Binary Proxy Execution


Defense Evasion:
Signed Binary Proxy Execution


Mod
This step executes arbitrary dll.