Execution
T1204 suspicious_lnk: LNK file with suspicious content
T1047 antivm_wmi: Uses WMI to detect virtual environment
T1047 has_wmi: Executes one or several WMI requests
Defense Evasion
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1497.001 antivm_wmi: Uses WMI to detect virtual environment
Credential Access
T1555.003 cookie_files: Accesses cookie files
T1552 cookie_files: Accesses cookie files
Discovery
T1082 has_wmi: Executes one or several WMI requests
T1497.001 antivm_wmi: Uses WMI to detect virtual environment
Other
unexpected_exception: Unexpected exception
no_graphical_activity: No graphic activity
creates_suspended_process: Creates suspended process
yara_rules: Static rules