Execution
T1204 suspicious_lnk: LNK file with suspicious content
T1059.003 suspicious_process: Spawns a suspicious process
T1047 antivm_wmi: Uses WMI to detect virtual environment
T1047 has_wmi: Executes one or several WMI requests
T1059.001 url_cmdline: Cmdline of process contains URL
T1059.003 url_cmdline: Cmdline of process contains URL
Defense Evasion
T1218 suspicious_cmdline: Executes a suspicious command
T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization
T1218 suspicious_cmdline_keywords: Cmdline with suspicious keywords
Discovery
T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1082 has_wmi: Executes one or several WMI requests
T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization
Command and Control
T1105 cmdline_curl: Uses curl utility for network data transferring
T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet
Other
suricata_alert: Malicious traffic detected
network_bind: Starts servers listening at 127.0.0.1:0
creates_exe: Creates executable files in the file system
create_process_failed: Could not start the process
suspicious_process_network: Unusual process network activity detected
dns_tld_su: Connects to TLD .SU, possibly malware
creates_suspended_process: Creates suspended process
test_check_service: Starts services
js_suspicious: Suspicious javascript
yara_rules: Static rules