Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.
Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.
Detects attempts to connect via DCOM Endpoints, as used by Impacket DCOMExec. This event will occur on successful or unsuccessful attempts using any of the three DCOMExec -object options.
Detects user accept agreement execution in psexec commandline
Detects use of the copy utility to deploy executable files from a remote share to a temp directory, such as the procedure performed by Vice Ransomware gang.