WMI for Lateral Movement
Windows Management Instrumentation for code execution, lateral movement.
Execution
Spawning a new process on the target system 10.0.0.6 from another compromised system 10.0.0.2:
attacker@victim
Observations
Inspecting sysmon and windows audit logs, we can see 4648
logon events being logged on the source machine as well as processes being spawned by WmiPrvSe.exe
on the target host:
Both on the host initiating the connection and on the host that is being logged on to, events 4624
and 4648
should be logged:
References
Last updated