Persistence
T1547.001 persistence_autorun: Makes itself run automatically on Windows startup
Privilege Escalation
T1055.012 injection_runpe: Injects code into another process
T1547.001 persistence_autorun: Makes itself run automatically on Windows startup
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
Defense Evasion
T1055.012 injection_runpe: Injects code into another process
T1027.002 unnamed_memory_regions_contains_pe: One or several unnamed memory regions are PE files
T1564.001 stealth_file: Creates hidden or system files
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1006 direct_disc_access: Direct disk access has been detected
T1497.001 antivm_generic_cpu: Checks the CPU name, possibly for anti-virtualization
T1497.001 antivm_generic_disk: Checks information on disk, possibly for anti-virtualization or checking privileges
T1027.002 packer_upx: The executable file is compressed using UPX
T1027.002 pe_features: Executable file has PE anomalies (may be false positive)
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1027.001 static_overlay_padding: Overlay contents padding
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1218 suspicious_cmdline_keywords: Cmdline with suspicious keywords
T1497.001 antivm_queries_computername: Retrieves the computer name
Discovery
T1497.001 antivm_generic_cpu: Checks the CPU name, possibly for anti-virtualization
T1497.001 antivm_generic_disk: Checks information on disk, possibly for anti-virtualization or checking privileges
T1082 antivm_generic_disk: Checks information on disk, possibly for anti-virtualization or checking privileges
T1518.001 antiav_detectservice: Attempts to detect installed antiviruses by a certain service
T1518 locates_browser: Attempts to identify where browsers are installed
T1497.001 antivm_queries_computername: Retrieves the computer name
Command and Control
T1071.001 network_http: Performs HTTP requests
T1071.001 wininet_openurl: Performs HTTP/HTTPS-requests using InternetOpenUrl
Exfiltration
T1022 encrypts_pc_info: Collects and encrypts information about the computer (possibly for exfiltration)
Impact
T1489 stops_service: Stops Windows services
T1529 nt_raise_hard_error: Detected agressive BSOD (typical for malware) using NtRaiseHardError
T1489 change_service_config: Stops services via ChangeServiceConfig
T1489 service_control_stop: Stops services via ControlService
Other
yara_rules: Static rules
ransomware_petya: Petya ransomware detected
ransomware_shadowcopy: Removes volume shadow copies
creates_exe: Creates executable files in the file system
static_pe_anomaly: The PE file structure contains anomalies
ransomware_bcdedit: Runs bcdedit commands specific to ransomware
copies_self: Creates a copy of itself
ip_domains: Identifies an IP address using external resources
suspicious_process: Spawns a suspicious process
executes_dropped_exe: Executes dropped exe files
mimics_agent: Uses system User-Agent for requests
static_pe_duplicate_sections: The PE file structure contains anomalies: duplicate section names
dotnet_suspicious_resources_names: Dotnet program has suspicious resources names
require_administrator: Requests administrator privileges
dotnet_embeded_dependencies_by_costura: Dotnet program has embedded dependencies by Costura
has_pdb: This executable file has a PDB path
creates_suspended_process: Creates suspended process
dotnet_import_unmanaged_code: Dotnet program statically imports unmanaged functions/modules
test_check_service: Starts services
checktokenmembership: Checks user token with CheckTokenMembership call
dotnet_use_suspicious_functions: Dotnet program potentially uses suspicious functions/modules
pe_overlay: PE file contains overlay
many_files_in_archive: The archive contains more than 5 files