Execution
T1059.003 cmd_ping_del: Uses cmd.exe for pausing and deletion of the original file
T1059 autoit: AutoIt script execution detected
T1059.003 executes_dropped_cmd: Executes dropped batch files
T1047 has_wmi: Executes one or several WMI requests
Persistence
T1098 add_user_to_admin: Adds an elevated user to a group
T1098 password_policy: Changes password policy
T1136.001 add_user: Creates a new Windows user account
T1098 add_user_to_group: Adds user to a group
T1543.003 persistence_services: Modifies Services registry key
T1574.011 persistence_services: Modifies Services registry key
Privilege Escalation
T1098 add_user_to_admin: Adds an elevated user to a group
T1098 password_policy: Changes password policy
T1098 add_user_to_group: Adds user to a group
T1574.011 persistence_services: Modifies Services registry key
T1543.003 persistence_services: Modifies Services registry key
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
Defense Evasion
T1070.004 cmd_ping_del: Uses cmd.exe for pausing and deletion of the original file
T1564.001 stealth_file: Creates hidden or system files
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1070.001 wevtutil_clear_log: Clears event log using wevtutil
T1562.004 firewall_add_rule: Modifies Firewall rules
T1574.011 persistence_services: Modifies Services registry key
T1497.002 antisandbox_foregroundwindows: Checks whether any human activity is being performed by constantly checking whether the foreground window has changed
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1497.003 antisandbox_sleep_utilities: Uses Windows utilities for pausing the execution
T1027.002 packer_vmprotect: Executable file is likely compressed using VMProtect
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers
T1497 windows_enumthread: Attempts to enumerate windows using EnumThreadWindows and SendMessage for text obtaining
T1497.002 async_mouse: Watches for mouse clicks using GetAsyncKeyState to detect human activity
T1480 system_default_lang_id_present: Checks the system language
T1070 stealth_window: A process created a hidden window
T1070.004 self_removal_command: Executes command to delete itself
Credential Access
T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager
Discovery
T1201 password_policy: Changes password policy
T1057 pidbruteforce: Enumerates processes using PID Bruteforce
T1057 process_interest: Enumerates processes
T1497.002 antisandbox_foregroundwindows: Checks whether any human activity is being performed by constantly checking whether the foreground window has changed
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1497.003 antisandbox_sleep_utilities: Uses Windows utilities for pausing the execution
T1082 uses_windows_utilities: Uses Windows utilities for basic Windows functionality
T1518 locates_browser: Attempts to identify where browsers are installed
T1016 get_hostname: Attempts to get hostname
T1016.001 system_network_configuration_discovery: System network configuration discovery detected
T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers
T1497 windows_enumthread: Attempts to enumerate windows using EnumThreadWindows and SendMessage for text obtaining
T1497.002 async_mouse: Watches for mouse clicks using GetAsyncKeyState to detect human activity
T1082 windows_enumthread: Attempts to enumerate windows using EnumThreadWindows and SendMessage for text obtaining
Lateral Movement
T1021.001 rdp_persistence: Permits remote access to the computer (over RDP)
Command and Control
T1071.001 network_http: Performs HTTP requests
T1071.001 wininet_openurl: Performs HTTP/HTTPS-requests using InternetOpenUrl
T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet
Impact
T1490 vssadmin_delete_shadows: Attempt to delete volume shadow copies
T1489 net_stop: Stops services through the use of net stop
Other
yara_rules: Static rules
suricata_alert: Malicious traffic detected
creates_many_processes: Spawns a lot of processes (over 70)
ransomware_shadowcopy: Removes volume shadow copies
multiple_useragents: Uses more than one unique User-Agent
driver_load: Loads a driver
network_bind: Starts servers listening at None, 0.0.0.0:3389
creates_exe: Creates executable files in the file system
dead_host: Connects to IP addresses that do not respond to requests
executes_dropped_exe: Executes dropped exe files
unsigned_driver_drop: Sample is not signed and drops a device driver
create_rpc_bindings: Creates RPC connection
require_administrator: Requests administrator privileges
has_pdb: This executable file has a PDB path
creates_suspended_process: Creates suspended process
break_limit_exceeded: Warning: function calls limit has been exceeded
access_recyclebin: Manipulation with recyclebin detected
message_box: Displays a message
creates_in_programdata: Creates files in the ProgramData directory
suspicious_network_port: Performs TCP or UDP request to non-standard port
test_check_service: Starts services
checktokenmembership: Checks user token with CheckTokenMembership call
writes_data: Writes big amount of data to disk
pe_overlay: PE file contains overlay
open_winlogon_process: Trying to open winlogon process
js_suspicious: Suspicious javascript
valid_authenticode: The digital signature has been verified