WMI for Lateral Movement

Windows Management Instrumentation for code execution, lateral movement.


Spawning a new process on the target system from another compromised system

wmic /node: /user:administrator process call create "cmd.exe /c calc"


Inspecting sysmon and windows audit logs, we can see 4648 logon events being logged on the source machine as well as processes being spawned by WmiPrvSe.exe on the target host:

Both on the host initiating the connection and on the host that is being logged on to, events 4624 and 4648 should be logged:


Last updated