wmic /node:10.0.0.6 /user:administrator process call create "cmd.exe /c calc"
Copied!
Observations
Inspecting sysmon and windows audit logs, we can see 4648 logon events being logged on the source machine as well as processes being spawned by WmiPrvSe.exe on the target host:
Both on the host initiating the connection and on the host that is being logged on to, events 4624 and 4648 should be logged:
References
Windows Management Instrumentation, Technique T1047 - Enterprise | MITRE ATT&CK®