Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object.
Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.
Detects a Windows command line executable started from MMC
Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.
Detects attempts to connect via DCOM Endpoints, as used by Impacket DCOMExec. This event will occur on successful or unsuccessful attempts using any of the three DCOMExec -object options.
Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.
Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class
Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe
Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework
Detects a threat actor creating a file named iertutil.dll in the C:\Program Files\Internet Explorer\ directory over the network for a DCOM InternetExplorer DLL Hijack scenario.
C:\Program Files\Internet Explorer\
Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network