Execution
T1059 autoit: AutoIt script execution detected
T1059.003 executes_dropped_cmd: Executes dropped batch files
T1047 has_wmi: Executes one or several WMI requests
Persistence
T1098 add_user_to_admin: Adds an elevated user to a group
T1136.001 add_user: Creates a new Windows user account
T1098 add_user_to_group: Adds user to a group
Privilege Escalation
T1098 add_user_to_admin: Adds an elevated user to a group
T1098 add_user_to_group: Adds user to a group
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1055 injection_failed: The attempt to inject into a process has failed
Defense Evasion
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1070.001 wevtutil_clear_log: Clears event log using wevtutil
T1027.002 packer_vmprotect: Executable file is likely compressed using VMProtect
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1497 windows_enumthread: Attempts to enumerate windows using EnumThreadWindows and SendMessage for text obtaining
T1497.002 async_mouse: Watches for mouse clicks using GetAsyncKeyState to detect human activity
T1480 system_default_lang_id_present: Checks the system language
T1070.004 self_removal_command: Executes command to delete itself
T1055 injection_failed: The attempt to inject into a process has failed
Discovery
T1057 process_interest: Enumerates processes
T1082 windows_enumthread: Attempts to enumerate windows using EnumThreadWindows and SendMessage for text obtaining
T1497 windows_enumthread: Attempts to enumerate windows using EnumThreadWindows and SendMessage for text obtaining
T1497.002 async_mouse: Watches for mouse clicks using GetAsyncKeyState to detect human activity
T1016 get_hostname: Attempts to get hostname
Command and Control
T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet
Impact
T1490 vssadmin_delete_shadows: Attempt to delete volume shadow copies
Other
yara_rules: Static rules
ransomware_shadowcopy: Removes volume shadow copies
creates_exe: Creates executable files in the file system
executes_dropped_exe: Executes dropped exe files
no_graphical_activity: No graphic activity
create_rpc_bindings: Creates RPC connection
require_administrator: Requests administrator privileges
has_pdb: This executable file has a PDB path
creates_suspended_process: Creates suspended process
message_box: Displays a message
creates_in_programdata: Creates files in the ProgramData directory
test_check_service: Starts services
checktokenmembership: Checks user token with CheckTokenMembership call
writes_data: Writes big amount of data to disk
pe_overlay: PE file contains overlay
valid_authenticode: The digital signature has been verified