Execution
T1059.003 executes_dropped_cmd: Executes dropped batch files
Persistence
T1574.011 persistence_services: Modifies Services registry key
T1543.003 persistence_services: Modifies Services registry key
Privilege Escalation
T1574.011 persistence_services: Modifies Services registry key
T1543.003 persistence_services: Modifies Services registry key
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
Defense Evasion
T1096 persistence_ads: Creates Alternate Data Stream (ADS)
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1574.011 persistence_services: Modifies Services registry key
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1027.002 pe_features: Executable file has PE anomalies (may be false positive)
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1497 windows_enumthread: Attempts to enumerate windows using EnumThreadWindows and SendMessage for text obtaining
Discovery
T1497 windows_enumthread: Attempts to enumerate windows using EnumThreadWindows and SendMessage for text obtaining
T1016 system_network_configuration_discovery: System network configuration discovery detected
T1082 windows_enumthread: Attempts to enumerate windows using EnumThreadWindows and SendMessage for text obtaining
T1082 recon_systeminfo: Collects system information (ipconfig, netstat, systeminfo, net)
Command and Control
T1095 network_icmp: Creates ICMP traffic
Other
creates_exe: Creates executable files in the file system
ipconfig_release: Removes network adapter IP address configuration
creates_suspended_process: Creates suspended process
suspicious_network_port: Performs TCP or UDP request to non-standard port
pe_overlay: PE file contains overlay
yara_rules: Static rules