Skip to content

T1047: WMI for Lateral Movement


Spawning a new process on the target system from another compromised system

{% code-tabs %} {% code-tabs-item title="attacker@victim" %}

wmic /node: /user:administrator process call create "cmd.exe /c calc"
{% endcode-tabs-item %} {% endcode-tabs %}


Inspecting sysmon and windows audit logs, we can see 4648 logon events being logged on the source machine as well as processes being spawned by WmiPrvSe.exe on the target host:

Both on the host initiating the connection and on the host that is being logged on to, events 4624 and 4648 should be logged:


{% embed url="" %}