Initial Access
T1192 downloader_ms_word: Suspicious link to an external file (Microsoft Word)
Execution
T1203 exploit_CVE_2022_30190: Exploitation of Follina (CVE-2022-30190) Vulnerability
T1204.002 office_com_load: Microsoft Office loads COM DLL files (indicator of COM usage in macros)
Defense Evasion
T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents
Discovery
T1497 evasion_trustrecords: Attempts to detect Sandbox exploring trusted documents
Command and Control
T1071.001 network_http: Performs HTTP requests
T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp
Other
yara_rules: Static rules
dead_host: Connects to IP addresses that do not respond to requests
test_check_service: Starts services