Execution
T1059.001 suspicious_powershell: Creates suspicious powershell process
T1059.001 suspicious_process: Spawns a suspicious process
Privilege Escalation
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
Defense Evasion
T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime
T1497.001 antivm_network_adapters: Checks NIC addresses
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1497.001 antivm_generic_video: Checks information about video adapters in registry, possibly for anti-virtualization
Discovery
T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime
T1497.001 antivm_network_adapters: Checks NIC addresses
T1518 locates_browser: Attempts to identify where browsers are installed
T1497.001 antivm_generic_video: Checks information about video adapters in registry, possibly for anti-virtualization
Command and Control
T1102.003 cloud_discord: Connects to cloud services of Discord (potentially for malicious payload delivery)
T1102.003 cloud_amazonaws: Connects to cloud services of Amazon AWS (potentially for malicious payload delivery)
Other
creates_exe: Creates executable files in the file system
executes_dropped_exe: Executes dropped exe files
opens_document: Opens office documents
creates_doc: Creates (office) documents in the file system
network_powershell: Powershell process network connection detected
creates_suspended_process: Creates suspended process
test_check_service: Starts services
suricata_alert: Malicious traffic detected
yara_rules: Static rules