Atomic Blue Detections

Analytic	Contributors	Updated	Tactics	Techniques
AD Dumping via Ntdsutil.exe	Tony Lambert	01/07/2019	Credential Access	T1003 Credential Dumping
Audio Capture via PowerShell	Endgame	11/30/2018	Collection	T1123 Audio Capture
Audio Capture via SoundRecorder	Endgame	11/30/2018	Collection	T1123 Audio Capture
Bypass UAC via CMSTP	Endgame	11/30/2018	Defense Evasion Execution	T1191 CMSTP T1088 Bypass User Account Control
Bypass UAC via Fodhelper.exe	Tony Lambert	05/17/2019	Privilege Escalation	T1088 Bypass User Account Control
Bypass UAC via Fodhelper.exe	Tony Lambert	05/17/2019	Privilege Escalation	T1088 Bypass User Account Control
Bypass UAC via WSReset.exe	Tony Lambert	05/17/2019	Privilege Escalation	T1088 Bypass User Account Control
Change Default File Association	Endgame	11/30/2018	Persistence	T1042 Change Default File Association
Clearing Windows Event Logs with wevtutil	Endgame	11/30/2018	Defense Evasion	T1070 Indicator Removal on Host
COM Hijack via Script Object	Endgame	11/30/2018	Persistence Defense Evasion	T1122 Component Object Model Hijacking
Command-Line Creation of a RAR file	Endgame	11/30/2018	Exfiltration	T1002 Data Compressed
Delete Volume USN Journal with fsutil	Endgame	11/30/2018	Defense Evasion	T1070 Indicator Removal on Host
Discovery of a Remote System’s Time	Endgame	11/30/2018	Discovery	T1124 System Time Discovery
Domain Trust Discovery via Nltest.exe	Tony Lambert	05/17/2019	Discovery	T1482 Domain Trust Discovery
Encoding or Decoding Files via CertUtil	Endgame	11/30/2018	Defense Evasion	T1140 Deobfuscate/Decode Files or Information
Enumeration of Mounted Shares	Endgame	11/30/2018	Discovery	T1049 System Network Connections Discovery
Enumeration of Remote Shares	Endgame	11/30/2018	Discovery	T1135 Network Share Discovery
Execution of a Command via a SYSTEM Service	Endgame	11/30/2018	Privilege Escalation	T1035 Service Execution T1050 New Service
HH.exe execution	Dan Beavin	09/26/2019	Defense Evasion Execution	T1223 Compiled HTML File
Image Debuggers for Accessibility Features	Endgame	11/30/2018	Persistence Privilege Escalation Defense Evasion	T1015 Accessibility Features T1183 Image File Execution Options Injection
Indirect Command Execution	Endgame	11/30/2018	Defense Evasion	T1202 Indirect Command Execution
Installing Custom Shim Databases	Endgame	11/30/2018	Persistence Privilege Escalation	T1138 Application Shimming
Interactive AT Job	Endgame	11/30/2018	Privilege Escalation	T1053 Scheduled Task
Logon Scripts with UserInitMprLogonScript	Endgame	11/30/2018	Persistence	T1037 Logon Scripts
LSASS Memory Dumping	Tony Lambert	01/07/2019	Credential Access	T1003 Credential Dumping
LSASS Memory Dumping via ProcDump.exe	Tony Lambert	01/07/2019	Credential Access	T1003 Credential Dumping
Modification of Boot Configuration	Endgame	05/17/2019	Impact	T1490 Inhibit System Recovery
Modification of ld.so.preload	Tony Lambert	05/17/2019	Defense Evasion	T1055 Process Injection
Modifications of .bash_profile and .bashrc	Tony Lambert	01/10/2019	Persistence	T1156 .bash_profile and .bashrc
Mounting Hidden Shares	Endgame	11/30/2018	Lateral Movement	T1077 Windows Admin Shares
Mshta Network Connections	Endgame	11/30/2018	Execution Defense Evasion Command and Control	T1170 Mshta
Persistence via AppInit DLL	Endgame	11/30/2018	Persistence Privilege Escalation	T1103 AppInit DLLs
Persistence via NetSh Key	Endgame	11/30/2018	Persistence	T1128 Netsh Helper DLL
Persistence via Screensaver	Endgame	11/30/2018	Persistence	T1180 Screensaver
Registry Preparation of Event Viewer UAC Bypass	Endgame	11/30/2018	Privilege Escalation	T1088 Bypass User Account Control
RegSvr32 Scriptlet Execution	Endgame	11/30/2018	Execution	T1117 Regsvr32
SAM Dumping via Reg.exe	Endgame	11/30/2018	Credential Access	T1003 Credential Dumping
Suspicious ADS File Creation	Endgame	11/30/2018	Defense Evasion	T1096 NTFS File Attributes
Suspicious Bitsadmin Job via bitsadmin.exe	Endgame	11/30/2018	Defense Evasion Persistence	T1197 BITS Jobs
Suspicious Bitsadmin Job via PowerShell	Endgame	11/30/2018	Defense Evasion Persistence	T1197 BITS Jobs
Suspicious Script Object Execution	Endgame	11/30/2018	Defense Evasion Execution	T1117 Regsvr32
System Information Discovery	Endgame	11/30/2018	Discovery	T1082 System Information Discovery
Unload Sysmon Filter Driver with fltmc.exe	Endgame	11/30/2018	Defense Evasion	T1089 Disabling Security Tools
User Account Creation	Endgame	11/30/2018	Persistence Credential Access	T1136 Create Account
Volume Shadow Copy Deletion via VssAdmin	Endgame	05/17/2019	Impact	T1490 Inhibit System Recovery
Volume Shadow Copy Deletion via WMIC	Endgame	05/17/2019	Impact	T1490 Inhibit System Recovery
Windows Network Enumeration	Endgame	11/30/2018	Discovery	T1018 Remote System Discovery