description |
Code injection with CreateRemoteThread in a remote process |
rule |
inject_thread |
description |
Create a windows service |
rule |
create_service |
description |
Create a COM server |
rule |
create_com_service |
description |
Communications over UDP network |
rule |
network_udp_sock |
description |
Listen for incoming communication |
rule |
network_tcp_listen |
description |
Communications over P2P network |
rule |
network_p2p_win |
description |
Communications over HTTP |
rule |
network_http |
description |
File downloader/dropper |
rule |
network_dropper |
description |
Communications over FTP |
rule |
network_ftp |
description |
Communications over RAW socket |
rule |
network_tcp_socket |
description |
Communications use DNS |
rule |
network_dns |
description |
Communication using dga |
rule |
network_dga |
description |
Escalade priviledges |
rule |
escalate_priv |
description |
Take screenshot |
rule |
screenshot |
description |
Run a keylogger |
rule |
keylogger |
description |
Steal credential |
rule |
cred_local |
description |
Record Audio |
rule |
sniff_audio |
description |
APC queue tasks migration |
rule |
migrate_apc |
description |
Malware can spread east-west file |
rule |
spreading_file |
description |
Malware can spread east-west using share drive |
rule |
spreading_share |
description |
Create or check mutex |
rule |
win_mutex |
description |
Affect system registries |
rule |
win_registry |
description |
Affect system token |
rule |
win_token |
description |
Affect private profile |
rule |
win_private_profile |
description |
Affect private profile |
rule |
win_files_operation |
description |
Match Winsock 2 API library declaration |
rule |
Str_Win32_Winsock2_Library |
description |
Match Windows Inet API library declaration |
rule |
Str_Win32_Wininet_Library |
description |
Match Windows Inet API call |
rule |
Str_Win32_Internet_API |
description |
Match Windows Http API call |
rule |
Str_Win32_Http_API |
description |
(no description) |
rule |
DebuggerCheck__GlobalFlags |
description |
(no description) |
rule |
DebuggerCheck__QueryInfo |
description |
(no description) |
rule |
DebuggerCheck__RemoteAPI |
description |
(no description) |
rule |
DebuggerHiding__Thread |
description |
(no description) |
rule |
DebuggerHiding__Active |
description |
(no description) |
rule |
DebuggerException__ConsoleCtrl |
description |
(no description) |
rule |
DebuggerException__SetConsoleCtrl |
description |
(no description) |
rule |
ThreadControl__Context |
description |
(no description) |
rule |
SEH__vectored |
description |
(no description) |
rule |
Check_Dlls |
description |
Possibly employs anti-virtualization techniques |
rule |
vmdetect |
description |
Checks if being debugged |
rule |
anti_dbg |
description |
Anti-Sandbox checks for ThreatExpert |
rule |
antisb_threatExpert |
description |
Bypass DEP |
rule |
disable_dep |
description |
Affect hook table |
rule |
win_hook |