attack.t1021.003

Detects attempts to connect via DCOM Endpoints, as used by Impacket DCOMExec. This event will occur on successful or unsuccessful attempts using any of the three DCOMExec -object options.

Remote DCOM/WMI Lateral Movement

Jun 22, 2023 · attack.lateral_movement attack.t1021.003 attack.t1047 ·

Share on:

Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.

Potential DCOM InternetExplorer.Application DLL Hijack - Image Load

Jun 1, 2023 · attack.lateral_movement attack.t1021.002 attack.t1021.003 ·

Share on:

Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class

MMC20 Lateral Movement

Mar 5, 2023 · attack.execution attack.t1021.003 ·

Share on:

Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe

HackTool - Potential Impacket Lateral Movement Activity

Feb 21, 2023 · attack.execution attack.t1047 attack.lateral_movement attack.t1021.003 ·

Share on:

Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework

DCOM InternetExplorer.Application Iertutil DLL Hijack - Security

Feb 7, 2023 · attack.lateral_movement attack.t1021.002 attack.t1021.003 ·

Share on:

Detects a threat actor creating a file named iertutil.dll in the C:\Program Files\Internet Explorer\ directory over the network for a DCOM InternetExplorer DLL Hijack scenario.

Potential DCOM InternetExplorer.Application DLL Hijack

Dec 18, 2022 · attack.lateral_movement attack.t1021.002 attack.t1021.003 ·

Share on:

Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network