Initial Access
T1192 html_urls: HTML-document downloads a file
Privilege Escalation
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
Defense Evasion
T1497.001 antivm_generic_services: Enumerates services, possibly for anti-virtualization
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1027.002 pe_features: Executable file has PE anomalies (may be false positive)
T1497.002 async_mouse: Watches for mouse clicks using GetAsyncKeyState to detect human activity
T1480 system_default_lang_id_present: Checks the system language
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
Discovery
T1497.001 antivm_generic_services: Enumerates services, possibly for anti-virtualization
T1497.002 async_mouse: Watches for mouse clicks using GetAsyncKeyState to detect human activity
Command and Control
T1102.003 references_gofile: Contains links to cloud services of Gofile (potentially for malicious payload delivery)
Other
suspicious_pdf_link: PDF file with suspicious hyperlink or content
suspicious_pdf: PDF file with suspicious content
pdf_page: Contains only one page
creates_doc: Creates (office) documents in the file system
pdf_compressed_stream: Contains an object with compressed stream
require_administrator: Requests administrator privileges
has_pdb: This executable file has a PDB path
get_policy_info: Retrieves information about a Policy object
office_links: Office file contains external links
pe_overlay: PE file contains overlay
open_winlogon_process: Trying to open winlogon process
valid_authenticode: The digital signature has been verified