Execution
T1047 has_wmi: Executes one or several WMI requests
Privilege Escalation
T1055.002 inject_write_pe: Writes PE file to another process's memory
T1055.012 injection_runpe: Injects code into another process
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
Defense Evasion
T1055.002 inject_write_pe: Writes PE file to another process's memory
T1055.012 injection_runpe: Injects code into another process
T1564.004 removes_zoneid_ads: Attempts to hide the indications that the file was downloaded from the Internet
T1497.001 antivm_vpc_keys: Attempts to detect Virtual PC
T1497.001 antivm_generic_bios: Checks the BIOS version, possibly for anti-virtualization
T1497.001 antivm_vbox_keys: Detects VirtualBox through the presence of a registry key
T1497.001 antivm_hyperv_keys: Attempts to detect Hyper-V
T1497.001 antivm_vbox_files: Detects VirtualBox through the presence of a file
T1497.001 antivm_vmware_keys: Detects VMware through the presence of a registry key
T1497.001 antivm_xen_keys: Attempts to detect Xen
T1497 office_security_check: Checks Microsoft Office security settings
T1497 antidbg_query_process: Checks if the process is being debugged (ProcessDebugPort)
T1497.001 antivm_disk_size: Checks the amount of free disk space
T1497.001 antivm_network_adapters: Checks NIC addresses
T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers
T1497.002 async_mouse: Watches for mouse clicks using GetAsyncKeyState to detect human activity
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
Credential Access
T1503 infostealer_browser: Retrieves personal information from local Internet browsers
T1552 infostealer_browser: Retrieves personal information from local Internet browsers
T1552 cookie_files: Accesses cookie files
T1555.003 cookie_files: Accesses cookie files
T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager
Discovery
T1497.001 antivm_vpc_keys: Attempts to detect Virtual PC
T1497.001 antivm_generic_bios: Checks the BIOS version, possibly for anti-virtualization
T1497.001 antivm_vbox_keys: Detects VirtualBox through the presence of a registry key
T1497.001 antivm_hyperv_keys: Attempts to detect Hyper-V
T1497.001 antivm_vbox_files: Detects VirtualBox through the presence of a file
T1497.001 antivm_vmware_keys: Detects VMware through the presence of a registry key
T1497.001 antivm_xen_keys: Attempts to detect Xen
T1518.001 antiav_detectfile: Attempts to detect installed antiviruses by a certain directory
T1497 office_security_check: Checks Microsoft Office security settings
T1497 antidbg_query_process: Checks if the process is being debugged (ProcessDebugPort)
T1497.001 antivm_disk_size: Checks the amount of free disk space
T1057 process_interest: Enumerates processes
T1082 uses_windows_utilities: Uses Windows utilities for basic Windows functionality
T1497.001 antivm_network_adapters: Checks NIC addresses
T1518 locates_browser: Attempts to identify where browsers are installed
T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers
T1497.002 async_mouse: Watches for mouse clicks using GetAsyncKeyState to detect human activity
T1083 checks_recent_files: Attempt to check recently opened files through registry
T1057 has_wmi: Executes one or several WMI requests
Command and Control
T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp
T1102.003 references_discord: Contains links to cloud services of Discord (potentially for malicious payload delivery)
T1102.003 references_github: Contains links to cloud services of Github (potentially for malicious payload delivery)
Other
suspicious_pdf_link: PDF file with suspicious hyperlink or content
network_bind: Starts servers listening at None
creates_exe: Creates executable files in the file system
suspicious_pdf: PDF file with suspicious content
pdf_page: Contains only one page
executes_dropped_exe: Executes dropped exe files
create_rpc_bindings: Creates RPC connection
pdf_compressed_stream: Contains an object with compressed stream
creates_suspended_process: Creates suspended process
suspicious_network_port: Performs TCP or UDP request to non-standard port
test_check_service: Starts services
office_links: Office file contains external links
checktokenmembership: Checks user token with CheckTokenMembership call
pe_overlay: PE file contains overlay
yara_rules: Static rules