Execution
T1204 suspicious_lnk: LNK file with suspicious content
T1059.001 suspicious_powershell: Creates suspicious powershell process
T1059 finger_abuse: Abusing finger.exe to download payload
T1059.003 suspicious_cmd_process: Cmd.exe without commandline launches a new process
T1059.001 suspicious_process: Spawns a suspicious process
T1047 has_wmi: Executes one or several WMI requests
Privilege Escalation
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
Defense Evasion
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1218.011 rundll_shell32: Uses ShellExec_RunDLL to run an executable file
T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
Discovery
T1082 uses_windows_utilities: Uses Windows utilities for basic Windows functionality
T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime
T1518 locates_browser: Attempts to identify where browsers are installed
Collection
T1560.001 cmdline_tar: Uses tar utility to compress or decompress data
Command and Control
T1071.001 network_http: Performs HTTP requests
T1105 cmdline_curl: Uses curl utility for network data transferring
Other
creates_exe: Creates executable files in the file system
executes_dropped_exe: Executes dropped exe files
network_bind: Starts servers listening at 127.0.0.1:0
creates_doc: Creates (office) documents in the file system
no_graphical_activity: No graphic activity
create_rpc_bindings: Creates RPC connection
creates_suspended_process: Creates suspended process
break_limit_exceeded: Warning: function calls limit has been exceeded
checktokenmembership: Checks user token with CheckTokenMembership call
writes_data: Writes big amount of data to disk
yara_rules: Static rules