Execution
T1059.003 suspicious_process: Spawns a suspicious process
T1047 has_wmi: Executes one or several WMI requests
T1059.003 suspicious_cmd: Executes cmd.exe with a suspicious command line
T1059.001 url_cmdline: Cmdline of process contains URL
T1059.003 url_cmdline: Cmdline of process contains URL
Persistence
T1037 persistence_autorun: Makes itself run automatically on Windows startup
Privilege Escalation
T1037 persistence_autorun: Makes itself run automatically on Windows startup
T1055 injection_thread: Code injection to a remote process using CreateRemoteThread or NtQueueApcThread
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
Defense Evasion
T1055 injection_thread: Code injection to a remote process using CreateRemoteThread or NtQueueApcThread
T1218 wmic_create_process: Creates a process using wmic.exe utility
T1027 suspicious_cmd: Executes cmd.exe with a suspicious command line
T1497 debugs_self: Creates a process and debugs it
T1218 suspicious_cmdline: Executes a suspicious command
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions
T1497.001 antivm_generic_video: Checks information about video adapters in registry, possibly for anti-virtualization
Discovery
T1082 recon_systeminfo: Collects system information (ipconfig, netstat, systeminfo, net)
T1057 has_wmi: Executes one or several WMI requests
T1497 debugs_self: Creates a process and debugs it
T1033 queries_username: Gets username
T1518 locates_browser: Attempts to identify where browsers are installed
T1016 get_hostname: Attempts to get hostname
T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions
T1497.001 antivm_generic_video: Checks information about video adapters in registry, possibly for anti-virtualization
Command and Control
T1071.001 network_http: Performs HTTP requests
T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp
Other
opens_document: Opens office documents
creates_exe: Creates executable files in the file system
creates_doc: Creates (office) documents in the file system
creates_in_windows: Creates files in the Windows directory
creates_suspended_process: Creates suspended process
test_check_service: Starts services
suricata_alert: Malicious traffic detected