Spawning a new process on the target system 10.0.0.6 from another compromised system 10.0.0.2:
attacker@victimwmic /node:10.0.0.6 /user:administrator process call create "cmd.exe /c calc"
Inspecting sysmon and windows audit logs, we can see
4648 logon events being logged on the source machine as well as processes being spawned by
WmiPrvSe.exe on the target host:
Both on the host initiating the connection and on the host that is being logged on to, events
4648 should be logged: