Initial Access
T1192 html_urls: HTML-document downloads a file
Execution
T1059.001 suspicious_powershell: Creates suspicious powershell process
T1059.001 suspicious_process: Spawns a suspicious process
T1059.001 url_cmdline: Cmdline of process contains URL
T1059.003 url_cmdline: Cmdline of process contains URL
Privilege Escalation
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
Defense Evasion
T1497.003 antisandbox_sleep_utilities: Uses Windows utilities for pausing the execution
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
Discovery
T1497.003 antisandbox_sleep_utilities: Uses Windows utilities for pausing the execution
Command and Control
T1071.001 network_cnc_http: Suspicious HTTP traffic
T1071.001 network_http: Performs HTTP requests
Other
suricata_alert: Malicious traffic detected
code_share_services: Connects to text storage services (potentially for malicious payload delivery)
creates_exe: Creates executable files in the file system
unexpected_exception: Unexpected exception
creates_in_programdata: Creates files in the ProgramData directory
checktokenmembership: Checks user token with CheckTokenMembership call