Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class

Detects a Windows command line executable started from MMC

Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe

Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework

Detects a threat actor creating a file named iertutil.dll in the C:\Program Files\Internet Explorer\ directory over the network for a DCOM InternetExplorer DLL Hijack scenario.

Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.

Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network

Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.

Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.