WMI for Lateral Movement
Windows Management Instrumentation for code execution, lateral movement.
Spawning a new process on the target system 10.0.0.6 from another compromised system 10.0.0.2:
attacker@victim
wmic /node:10.0.0.6 /user:administrator process call create "cmd.exe /c calc"
Inspecting sysmon and windows audit logs, we can see
4648 logon events being logged on the source machine as well as processes being spawned by WmiPrvSe.exe on the target host:
Both on the host initiating the connection and on the host that is being logged on to, events
4624 and 4648 should be logged:
Last modified 4yr ago