Execution
T1569.002 persistence_service: Starts newly created service
Persistence
T1543.003 creates_service: Creates a service
Privilege Escalation
T1543.003 creates_service: Creates a service
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
Defense Evasion
T1497.001 antivm_firmware: Attempts to detect VM by firmware
T1497.001 antivm_network_adapters: Checks NIC addresses
T1027.002 pe_features: Executable file has PE anomalies (may be false positive)
T1497 checks_firmware: Attempts to read firmware information (potentially for evasion)
T1497.001 antivm_queries_computername: Retrieves the computer name
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
Discovery
T1497.001 antivm_firmware: Attempts to detect VM by firmware
T1497.001 antivm_network_adapters: Checks NIC addresses
T1497 checks_firmware: Attempts to read firmware information (potentially for evasion)
T1497.001 antivm_queries_computername: Retrieves the computer name
T1082 checks_firmware: Attempts to read firmware information (potentially for evasion)
Impact
T1489 service_control_stop: Stops services via ControlService
Other
yara_rules: Static rules
driver_load: Loads a driver
static_pe_duplicate_sections: The PE file structure contains anomalies: duplicate section names
no_graphical_activity: No graphic activity
test_check_service: Starts services