Execution
T1204 suspicious_lnk: LNK file with suspicious content
T1047 has_wmi: Executes one or several WMI requests
Privilege Escalation
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1055 injection_failed: The attempt to inject into a process has failed
Defense Evasion
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1055 injection_failed: The attempt to inject into a process has failed
Credential Access
T1056.001 infostealer_keylogger: Keylogger (intercepts keystrokes)
Discovery
T1082 uses_windows_utilities: Uses Windows utilities for basic Windows functionality
T1082 reads_csrss: Attempts to read csrss.exe memory
Collection
T1560.001 archive_via_utility: Detected archiving data via utility
T1056.001 infostealer_keylogger: Keylogger (intercepts keystrokes)
Impact
T1529 shutdown_system: Shuts the system down
Other
kills_explorer: Terminates explorer.exe process
unexpected_exception: Unexpected exception
creates_suspended_process: Creates suspended process
get_policy_info: Retrieves information about a Policy object
yara_rules: Static rules