Lateral Movement with Windows Management Instrumentation (WMI) — Attack & Detect

4 min readNov 4, 2021

What is lateral movement?

Lateral movement is when an attacker compromises or gains control of one asset within a network and then moves on from that device to others within the same network. [1]

What is Windows Management Instrumentation (WMI) ?

Windows Management Instrumentation (ID: T1047) is defined by MITRE [2] as:

Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM)

Red Team

How to lateral movement with WMI?

Use WMI command to remote execution to the target host with valid accounts

wmic /node:TARGETHOST /user:ACCOUNT /password:PASSWORD process call create "COMMAND"

eg. Remote execute command “cmd.exe /c hostname > C:\Windows\temp\hostname.txt” with Huntsman account to PC02

wmic /node:PC02 /user:Huntsman /password:P@ssw0rd process call create "cmd.exe /c hostname > C:\Windows\temp\hostname.txt"

In another way can use Invoke-WMIMethod on PowerShell to remote execution to the target host with valid accounts

Invoke-WmiMethod -Comupter COMPUTERNAME -Class Win32_Process -Name create -Argument "COMMAND"

eg. Remote execute command “cmd.exe /c hostname > C:\Windows\temp\hostname.txt” with Huntsman account to PC02

Invoke-WmiMethod -Computer PC02 -Class Win32_Process -Name create -Argument "cmd.exe /c hostname > C:\Windows\temp\hostname.txt" -Credential (Get-Credential)

Blue Team

Source Host

How to detect remote execution or lateral movement on the source host?

Detect WMI remote execution in the source host by using the following pattern of the command line, like:

wmic & /node
Invoke-WmiMethod & -Computer

Which can use logs on the endpoint to detect it that include:

Windows Security Event Logs → Event ID: 4688 (Field: Process Command Line) [1]
Sysmon → Event ID: 1 (Field: CommandLine) [3]
Endpoint Detection Response Product (Field: CommandLine)

Windows Security Event Logs — Event ID: 4688

How to respond?

After detecting the attack, The Incident Response team should investigate to answer the following question, like:

Where did the attackers come from?
How did the attackers execute the commands?
What is the account name that the attackers use to execute commands?
What are the root causes?
Target host that attackers lateral movement to

Target host

How to detect WMI remote execution or lateral movement on the target host?

Look at the process tree on the target host

when the attackers remote execute the command, it will be spawned by WmiPrvSE.exe

WmiPrvSE.exe → cmd.exe

Then you can create rules to detect with:

ParentProcess = WmiPrvSE.exe

Which can use logs on the endpoint to detect it that include:

Windows Security Event Logs → Event ID: 4688 (Field: Creator Process Name) on Windows 10
Sysmon → Event ID: 1 (Field: ParentImage)
Endpoint Detection Response Product (Field: ParentProcessName)

How to respond?

After detecting the attack, The Incident Response team should investigate to answer the following question, like:

Where did the attackers come from?

Look at Windows Event Logs on Event ID: 4624 [5] to identify the source host.

Windows Security Event Logs — Event ID: 4624

In this example, the source host is PC01(10.7.7.131) then the Incident response team should investigate PC01 to find the root causes.

What is the account name that the attackers use to execute commands?

Look at the Windows Event Logs on Event ID: 4624 or Event ID:4688 to identify the account name

In this example, the account name is PC02\Huntsman which has been compromised and the attackers use this account to lateral movement from PC01 to PC02.

The Incident response team must inform to account owner (PC02\Huntsman) to change the password immediately and continue the investigation to find the root causes.

Thank you for reading.