Running an ATT&CK case
Adding domains
You need to first set up domains on the client devices, then add these domains on FortiTester.
- Go to Cases > ATT&CK Testing.
- Click ATT&CK Cases > Domains.
- Click + Create New.
- Enter the name for the domain. It should be exactly the same with the domains you have set up on the client devices.
You can go to Monitor > Agent Monitor, and check the Domain column for the name of the domain. - Repeat step 3 and 4 to add more domains.
Adding a host group
A host group containing a collection of hosts. You can later reference this group in the ATT&CK case settings so that FortiTester will perform adversary actions on the hosts in this group.
- Go to Cases > ATT&CK Testing.
- Click ATT&CK Cases > Hosts.
- Click + Create New.
- Enter a name for the host group.
- Select domain. The hosts to be added in this group should all belong to this domain. If you select Any, the hosts in this group can be in any domain.
- Click OK.
- Click + Create New.
- Select a host.
- Click OK.
- Repeat step 7 to 9 to add more hosts.
To save a local copy of the configuration, you can click the Export icon to export the configuration of the host group. In case the host group is accidentally deleted, you can click Import to quickly recover the configuration.
Creating an ability group
An ability group contains a collection of operations that can be used by an adversary.
- Cases > ATT&CK Testing.
- Select ATT&CK Cases > Abilities.
- Click + Create New.
- Enter a name for the ability group.
- Click OK.
- Click + Create New.
- On the Add abilities page, select the abilities you want to add. You can use the Platform, ATT&CK Tactic, and ATT&CK Technique options to filter out the desired abilities.
- Click Save.
On ATT&CK>ATT&CK Matrix Coverage, the supported abilities on you FortiTester appliance are displayed in green background. You can upgrade your service through System>FortiGuard to support a higher version of ATT&CK, so that more abilities will be included.
Creating an adversary
The adversary represents a real adversary’s tactics and techniques. You can later reference the adversary in ATT&CK Cases.
- Go to Cases > ATT&CK Testing.
- Click ATT&CK Cases > Adversaries.
- Click + Create New.
- Enter a name for the Adversary.
- Select the Ability Group to be used by this adversary. By referencing the ability group in adversary, you can flexibly switch the ability group when the case is running.
- If exfiltrate_files is included in the ability group, you need to select the exfil method that will be used to exfiltrates target files on the target hosts.
- Click Save.
Creating an ATT&CK Case
- Go to Cases>ATT&CK Testing.
- Select ATT&CK Cases>ATT&CK Cases.
- Click Add.
- Configure the following settings.
Name Enter a name for this case. Adversary Select the adversary which will perform a collection of operations on the target hosts. Hosts Select the host group which includes a collection of target hosts. Starting Host Select on which host the adversary actions begins. Start Method - Existing RAT: The adversary uses the existing Remote Access Tool (RAT) to start malicious actions.
- Wait For New RAT: The actions do not start until a new RAT is installed on target hosts.
- Bootstrap RAT: The RAT will be automatically installed on target hosts when you start the case, thus the adversary actions will also start.
To manually download RAT, go to ATT&CK Cases > Maintenance > Resources > RATs table.Start Path The location of the RAT's executable file that is stored or to be stored on the client devices. Starting User - System: Start RAT by system user.
- Active user: Start RAT by the active user.
- Logon User: Start RAT by the specified user. You need to provide the user name and password.
Parent Process Run the RAT process as a child process of the specified parent process, in order to disguise itself. Starting User Name If you select Logon User in Starting User, enter the name of this user. Starting User Password If you select Logon User in Starting User, enter the password of this user account. Auto Cleanup Enable to automatically perform cleanup when the case is finished. Command Delay The time interval that the adversary will wait to perform the next action (ability). Command Jitter The jitter that will compromise the Command Delay considering the network latency. For example, if the Command Delay is 3 seconds, and the Command Jitter is 1 second, then the actual Command Delay will be between 2 to 4 seconds. Current Limit on Failed Actions If an adversary action fails for the specified times, FortiTester will perform the next action. Job Timeout If FortiTester doesn't get response from FortiAgent for the specified time, the adversary action is considered failed. Enable Windows Defender Configure to enable or disable windows defender software in ATT&CK hosts. Enable Windows Firewall Configure to enable or disable windows firewall software in ATT&CK hosts. - Click Save to save the configuration, or click Start to start the case immediately.