attack.t1021.003

Suspicious Non PowerShell WSMAN COM Provider

Dec 28, 2024 · attack.execution attack.t1059.001 attack.lateral-movement attack.t1021.003 ·

Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.

Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp

Oct 1, 2024 · attack.t1021.003 attack.lateral-movement ·

Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object.

DCOM InternetExplorer.Application Iertutil DLL Hijack - Security

Aug 12, 2024 · attack.lateral-movement attack.t1021.002 attack.t1021.003 ·

Share on:

Detects a threat actor creating a file named iertutil.dll in the C:\Program Files\Internet Explorer\ directory over the network for a DCOM InternetExplorer DLL Hijack scenario.

HackTool - Potential Impacket Lateral Movement Activity

Aug 12, 2024 · attack.execution attack.t1047 attack.lateral-movement attack.t1021.003 ·

Share on:

Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework

MMC Spawning Windows Shell

Aug 12, 2024 · attack.lateral-movement attack.t1021.003 ·

Share on:

Detects a Windows command line executable started from MMC

MMC20 Lateral Movement

Aug 12, 2024 · attack.execution attack.t1021.003 ·

Share on:

Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe

Potential DCOM InternetExplorer.Application DLL Hijack

Aug 12, 2024 · attack.lateral-movement attack.t1021.002 attack.t1021.003 ·

Share on:

Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network

Potential DCOM InternetExplorer.Application DLL Hijack - Image Load

Aug 12, 2024 · attack.lateral-movement attack.t1021.002 attack.t1021.003 ·

Share on:

Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class

Remote DCOM/WMI Lateral Movement

Aug 12, 2024 · attack.lateral-movement attack.t1021.003 attack.t1047 ·

Share on:

Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.

Suspicious WSMAN Provider Image Loads

Aug 12, 2024 · attack.execution attack.t1059.001 attack.lateral-movement attack.t1021.003 ·

Share on:

Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.

SMBexec.py Execution

Mar 26, 2024 · attack.s0357 attack.execution attack.t1569 attack.t1569.002 attack.lateral_movement attack.t1021 attack.t1021.003 ·

Share on:

Similar to the wmiexec.py detector logic, this detection analytic is looking for services.exe spawning cmd.exe with a command line that has the following strings: '/Q', '/c', 'echo',' > ', ' 2>&1'. These strings are unique to the execution of smbexec.py, which allows a semi-interactive shell used through SMB. This script functions similar to psexec.py, but does not write a service binary to disk on the target machine. Part of the RedCanary 2024 Threat Detection Report.

Wmiexec.py Execution

Mar 26, 2024 · attack.s0357 attack.execution attack.t1047 attack.lateral_movement attack.t1021 attack.t1021.003 ·

Share on:

This detection analytic looks for wmiprvse.exe spawn cmd.exe with the following command line, cmd.exe /Q /c ', ' 1 \\', ' 2 &1. These strings are specific to the execution of wmiexe.py, which allows a semi-interactive shell used via WMI. Part of the RedCanary 2024 Threat Detection Report.

Possible Impacket DCOMExec Connection Attempt - Zeek

Sep 1, 2023 · attack.s0357 attack.execution attack.lateral_movement attack.t1021 attack.t1021.003 ·

Share on:

Detects attempts to connect via DCOM Endpoints, as used by Impacket DCOMExec. This event will occur on successful or unsuccessful attempts using any of the three DCOMExec -object options.