WMI for Lateral Movement
Windows Management Instrumentation for code execution, lateral movement.
Spawning a new process on the target system 10.0.0.6 from another compromised system 10.0.0.2:
Inspecting sysmon and windows audit logs, we can see
4648logon events being logged on the source machine as well as processes being spawned by
WmiPrvSe.exeon the target host:
Both on the host initiating the connection and on the host that is being logged on to, events
4648should be logged: