Privilege Escalation
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
Defense Evasion
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
Discovery
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
Command and Control
T1102.003 references_onedrive: Contains links to cloud services of Onedrive (potentially for malicious payload delivery)
Other
yara_rules: Static rules
static_pe_anomaly: The PE file structure contains anomalies
suspicious_pdf: PDF file with suspicious content
pdf_page: Contains only one page
suspicious_pdf_link: PDF file with suspicious hyperlink or content
pdf_compressed_stream: Contains an object with compressed stream
has_pdb: This executable file has a PDB path
dotnet_import_unmanaged_code: Dotnet program statically imports unmanaged functions/modules
get_policy_info: Retrieves information about a Policy object
office_links: Office file contains external links
dotnet_use_suspicious_functions: Dotnet program potentially uses suspicious functions/modules
pe_overlay: PE file contains overlay