Execution
T1059.001 suspicious_powershell: Creates suspicious powershell process
T1047 has_wmi: Executes one or several WMI requests
T1059 autoit: AutoIt script execution detected
T1047 antivm_wmi: Uses WMI to detect virtual environment
Persistence
T1547.001 persistence_autorun: Makes itself run automatically on Windows startup
Privilege Escalation
T1055.012 injection_runpe: Injects code into another process
T1547.001 persistence_autorun: Makes itself run automatically on Windows startup
T1055 sets_debug_registers: Sets debug registers for a thread in a different process
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1055 injection_failed: The attempt to inject into a process has failed
Defense Evasion
T1055.012 injection_runpe: Injects code into another process
T1027.002 unnamed_memory_regions_contains_pe: One or several unnamed memory regions are PE files
T1055 sets_debug_registers: Sets debug registers for a thread in a different process
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1564.001 stealth_file: Creates hidden or system files
T1497.001 antivm_generic_services: Enumerates services, possibly for anti-virtualization
T1497.001 antivm_generic_disk: Checks information on disk, possibly for anti-virtualization or checking privileges
T1497.001 antivm_sandboxie: Attempts to detect Sandboxie
T1497.002 detects_mousemove: Checks if the mouse is moving
T1036 system_filename: Created a file named as a common system file
T1036 system_procname: Created a process named as a common system process
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1497 debugs_self: Creates a process and debugs it
T1497 antidbg_query_system: Checks for kernel debugger (SystemKernelDebuggerInformation)
T1497 antidbg_query_process: Checks if the process is being debugged (ProcessDebugPort)
T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1497.001 antivm_disk_size: Checks the amount of free disk space
T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1497.001 antivm_network_adapters: Checks NIC addresses
T1055 injection_failed: The attempt to inject into a process has failed
T1480 system_default_lang_id_present: Checks the system language
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1070 stealth_window: A process created a hidden window
T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions
T1497.001 antivm_queries_computername: Retrieves the computer name
T1218 suspicious_cmdline_keywords: Cmdline with suspicious keywords
Credential Access
T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager
Discovery
T1082 has_wmi: Executes one or several WMI requests
T1518.001 antiav_detectservice: Attempts to detect installed antiviruses by a certain service
T1497.001 antivm_generic_services: Enumerates services, possibly for anti-virtualization
T1497.001 antivm_generic_disk: Checks information on disk, possibly for anti-virtualization or checking privileges
T1497.001 antivm_sandboxie: Attempts to detect Sandboxie
T1497.002 detects_mousemove: Checks if the mouse is moving
T1082 antivm_generic_disk: Checks information on disk, possibly for anti-virtualization or checking privileges
T1057 process_interest: Enumerates processes
T1497 debugs_self: Creates a process and debugs it
T1497 antidbg_query_system: Checks for kernel debugger (SystemKernelDebuggerInformation)
T1497 antidbg_query_process: Checks if the process is being debugged (ProcessDebugPort)
T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1497.001 antivm_disk_size: Checks the amount of free disk space
T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1518 locates_browser: Attempts to identify where browsers are installed
T1497.001 antivm_network_adapters: Checks NIC addresses
T1016 system_network_configuration_discovery: System network configuration discovery detected
T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions
T1497.001 antivm_queries_computername: Retrieves the computer name
Command and Control
T1032 internet_security_options: Sets Internet connections options that are not secure
T1071 internet_security_options: Sets Internet connections options that are not secure
T1071.001 network_cnc_http: Suspicious HTTP traffic
T1071.001 network_http: Performs HTTP requests
T1102.003 cloud_github: Connects to cloud services of Github (potentially for malicious payload delivery)
T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp
T1071.001 wininet_openurl: Performs HTTP/HTTPS-requests using InternetOpenUrl
T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet
Exfiltration
T1022 encrypts_pc_info: Collects and encrypts information about the computer (possibly for exfiltration)
Impact
T1486 modifies_files2: Cryptolocker indicators detected (500 or more files are modified)
T1486 modifies_files: Cryptolocker indicators detected (renamed 500 or more files)
T1489 stops_service: Stops Windows services
T1490 vssadmin_delete_shadows: Attempt to delete volume shadow copies
T1490 disables_system_restore: Disables System Restore
T1486 ransomware_message: Ransomware indicators detected (possible ransom message creation)
T1486 ransomware_files: Ransomware indicators detected Ragnar Locker (creates keys and the instruction on how to unlock the files)
T1486 ransomware_extensions: Ransomware(s) RagnarLocker indicators detected (specific extension is added to files)
T1486 ransomware_files_2: Ransomware(s) RagnarLocker indicators detected (creates keys and the instruction on how to unlock the files)
T1489 change_service_config: Stops services via ChangeServiceConfig
T1489 service_control_stop: Stops services via ControlService
Other
yara_rules: Static rules
suricata_alert: Malicious traffic detected
ransomware_ragnarlocker: Detected RagnarLocker ransomware
cobaltstrike_loader: CobaltStrike loader is detected
ransomware_shadowcopy: Removes volume shadow copies
creates_exe: Creates executable files in the file system
creates_many_processes: Spawns a lot of processes (over 70)
unpacker_wrong_base: Possibly, an error occured in the file unpacker
ransomware_bcdedit: Runs bcdedit commands specific to ransomware
ip_domains: Identifies an IP address using external resources
create_process_failed: Could not start the process
suspicious_process_network: Unusual process network activity detected
dead_host: Connects to IP addresses that do not respond to requests
suspicious_process: Spawns a suspicious process
executes_dropped_exe: Executes dropped exe files
mimics_agent: Uses system User-Agent for requests
process_crashed: One of the processes has failed
dotnet_suspicious_resources_names: Dotnet program has suspicious resources names
create_rpc_bindings: Creates RPC connection
require_administrator: Requests administrator privileges
creates_suspended_process: Creates suspended process
error_drawtext: An error occured while executing the file
dotnet_obfuscated: Dotnet program is potentially obfuscated
get_policy_info: Retrieves information about a Policy object
suspicious_network_port: Performs TCP or UDP request to non-standard port
test_check_service: Starts services
checktokenmembership: Checks user token with CheckTokenMembership call
writes_data: Writes big amount of data to disk
open_winlogon_process: Trying to open winlogon process
dotnet_suspicious_entrypoint: Dotnet program has suspicious entrypoint
dotnet_suspicious_module_name: Dotnet program has suspicious module name