Execution T1203 exploit_CVE_2017_11882: Exploits CVE-2017-11882 vulnerability
T1203 office_write_exe: Office document dropped an executable file
Persistence T1547.001 persistence_autorun: Makes itself run automatically on Windows startup
T1574 dropper_dll: Creates DLL, which is then loaded into the process
Privilege Escalation T1547.001 persistence_autorun: Makes itself run automatically on Windows startup
T1055.002 inject_write_pe: Writes PE file to another process's memory
T1574 dropper_dll: Creates DLL, which is then loaded into the process
Defense Evasion T1055.002 inject_write_pe: Writes PE file to another process's memory
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1027.002 packer_entropy: Probably contains compressed or encrypted data
Discovery T1057 process_interest: Enumerates processes
T1083 checks_recent_files: Attempt to check recently opened files through registry
Other office_embedded: The office file has a container with an executable file
suspicious_process: Spawns a suspicious process
process_crashed: One of the processes has failed
unexpected_exception: Unexpected exception
yara_rules: Static rules
create_rpc_bindings: Creates RPC connection
creates_suspended_process: Creates suspended process
test_check_service: Starts services