Execution
T1059.001 suspicious_powershell: Creates suspicious powershell process
T1059.001 suspicious_process: Spawns a suspicious process
T1047 has_wmi: Executes one or several WMI requests
Privilege Escalation
T1134 opens_process_token: Opens the access token associated with a process
Defense Evasion
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1562.001 stops_security_center: Stops Security Center
T1070.001 wevtutil_clear_log: Clears event log using wevtutil
T1134 opens_process_token: Opens the access token associated with a process
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions
Discovery
T1082 uses_windows_utilities: Uses Windows utilities for basic Windows functionality
T1518 locates_browser: Attempts to identify where browsers are installed
T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions
Impact
T1489 stops_security_center: Stops Security Center
T1490 wbadmin_delete_backup: Removes system backup copies using wbadmin utility
T1490 vssadmin_delete_shadows: Attempt to delete volume shadow copies
T1489 net_stop: Stops services through the use of net stop
Other
creates_many_processes: Spawns a lot of processes (over 70)
ransomware_shadowcopy: Removes volume shadow copies
ransomware_bcdedit: Runs bcdedit commands specific to ransomware
creates_suspended_process: Creates suspended process
test_check_service: Starts services
yara_rules: Static rules