{"id":10568,"date":"2020-07-08T09:00:00","date_gmt":"2020-07-08T08:00:00","guid":{"rendered":"https:\/\/www.withsecure.com\/resources-hub\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-5\/"},"modified":"2026-05-25T10:33:42","modified_gmt":"2026-05-25T09:33:42","slug":"attack-detection-fundamentals-discovery-and-lateral-movement-lab-5","status":"publish","type":"lab_item","link":"https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-5\/","title":{"rendered":"Attack Detection Fundamentals: Discovery and Lateral Movement &#8211; Lab #5"},"content":{"rendered":"<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 wp-block-one-column-block--meta-sharing layout--spacing-xxxxl-top layout--spacing-xl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                            <div class='wp-block-one-column-block__meta-sharing-grid'><div class=\"wp-component-content wp-component-content--default wp-block-one-column-block__content fade-in\">\n            <h1 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Attack Detection Fundamentals: Discovery and Lateral Movement &#8211; <span class=\"blue-text\">Lab #5<\/span><\/h1>                    <div class=\"wp-component-content__inner\">\n                                                    <div class=\"wp-component-content__meta\">\n                                                                            <span class=\"wp-component-content__meta-categories\">\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Attack Detection                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Endpoint Security                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Network Security                                    <\/span>\n                                                            <\/span>\n                                                                                                    <span class=\"wp-component-content__meta-date\">\n                                08.07.2020                            <\/span>\n                                                                    <\/div>\n                                            <\/div>\n                <\/div><section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--content-1 wp-block-sharing-icons--disable-container wp-block-one-column-block__sharing fade-in wp-block-one-column-block__sharing fade-in\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Jaa t\u00e4m\u00e4                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-5\/&#038;title=Attack%20Detection%20Fundamentals:%20Discovery%20and%20Lateral%20Movement%20&#8211;%20Lab%20#5\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Jaa LinkedIniss\u00e4\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals: Discovery and Lateral Movement &#8211; Lab #5&#038;url=https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-5\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Jaa X:ss\u00e4 (Twitter)\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n<\/div>                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                                    <div class=\"wp-component-image__wrapper wp-block-one-column-block__image fade-in\">\n                    <figure class=\"wp-component-image__figure\">\n                                            <img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research.jpg.webp\" class=\"wp-component-image\n                            wp-component-image--desktop\n                            wp-component-image--mobile\n                            wp-component-image--ratio-content-25-1 wp-component-image--fit-cover\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research.jpg.webp 1200w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-300x200.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-1024x683.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-768x512.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-447x298.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-219x146.jpg.webp 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                                                    <\/figure>\n                    <\/div>\n                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-two-column-block edwp-block js-wp-block-two-column-block wp-block-two-column-block--content-1 wp-block-two-column-block__left--align-y-top wp-block-two-column-block__right--align-y-top wp-block-two-column-block--split-sidebar layout--none-top layout--spacing-xxxl-bottom\"\n    data-block-id=\"block_3ff8925f96d318adc10a056ecf18e659\"\n    >\n    <div class=\"wp-block-two-column-block__container row-load\">\n                                                        <div class=\"wp-block-two-column-block__left\">\n                                    <div class=\"wp-component-authors-list wp-block-two-column-block__authors\">\n                    <p class=\"wp-component-authors-list__title\">\n                Authors            <\/p>\n        \n        <div class=\"wp-component-authors-list__items\">\n                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Alfie Champion<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                    <\/div>\n\n            <\/div>\n<nav\n    class=\"wp-component-content-navigation wp-block-two-column-block__content-nav js-content-navigation\"\n    data-bem-base=\"wp-component-content-navigation\"\n    data-nav-column=\"left\"\n    data-nav-type=\"auto\"\n>\n            <p class=\"wp-component-content-navigation__title\">\n            Content        <\/p>\n    \n    <div class=\"wp-component-content-navigation__mobile\">\n        <label class=\"wp-component-content-navigation__mobile-label\">\n            <span class=\"wp-component-content-navigation__mobile-label-text\">\n                Sis\u00e4ll\u00f6n navigointi            <\/span>\n            <select class=\"wp-component-content-navigation__select js-content-navigation-select\">\n                <option value=\"\">\n                    Valitse jakso                <\/option>\n                            <\/select>\n        <\/label>\n    <\/div>\n\n    <div class=\"wp-component-content-navigation__desktop\">\n        <div class=\"wp-component-content-navigation__list-wrapper\">\n            <span\n                class=\"wp-component-content-navigation__indicator js-content-navigation-indicator\"\n                aria-hidden=\"true\"\n            ><\/span>\n            <ul class=\"wp-component-content-navigation__list js-content-navigation-list\">\n                            <\/ul>\n        <\/div>\n    <\/div>\n<\/nav>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__hide-mobile wp-block-two-column-block__share wp-block-two-column-block__hide-mobile\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-5\/&#038;title=Attack%20Detection%20Fundamentals:%20Discovery%20and%20Lateral%20Movement%20&#8211;%20Lab%20#5\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Jaa LinkedIniss\u00e4\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals: Discovery and Lateral Movement &#8211; Lab #5&#038;url=https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-5\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Jaa X:ss\u00e4 (Twitter)\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                                                <div class=\"wp-block-two-column-block__right\">\n                                <div class=\"wp-component-paragraph wp-block-two-column-block__paragraph \">\n    <p>In the third part of WithSecure Consulting&#x27;s Attack Detection Workshop series, covering Discovery and Lateral Movement, we explored a number of offensive techniques for discovering assets of value, be that users or file shares, and methods for moving between compromised hosts.<\/p>\n<p>We also explored the detection strategies that can be employed to spot these using our own detection stacks. As with previous workshops, the following blog provides a fifth and final step-by-step guide to recreating the demos from that Discovery and Lateral Movement workshop, as well as exercises to further the reader&#x27;s understanding of the concepts shown.<\/p>\n<p>A recording of the workshop can be found <a href=\"https:\/\/youtu.be\/Pv8eHC1a_bc\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<p>In the previous <a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-4\/\" target=\"_blank\" rel=\"noopener\">lab<\/a>, we looked at a means of lateral movement using the Sysinternals tool, PsExec. We saw detection opportunities from anomalous user logins (when we used Domain Administrator creds on our workstation!), registry keys being set, and services being installed on the target host. We also looked at ways to detect some variations of PsExec including a simple renaming of the executable, to the module in Metasploit.<\/p>\n<p>For this final lab, we\u2019re going to be taking a look at lateral movement using Windows Management Instrumentation, or WMI. As with PsExec, there are many implementations of WMI available for use. Covenant, the .NET framework we\u2019ve used extensively throughout this series, has WMI tasks it can execute, as does Metasploit. Other tools, such as Impacket have implementations too.<\/p>\n<p>First, we\u2019re going to take a look at the built-in Windows WMIC command, before reviewing detection opportunities for one of the tools mentioned above, Impacket\u2019s wmiexec.<\/p>\n<h2>References<\/h2>\n<ul>\n<li><a href=\"https:\/\/riccardoancarani.github.io\/2020-05-10-hunting-for-impacket\/#wmiexecpy\" target=\"_blank\" rel=\"noopener\">Riccardo Ancarani &#8211; Hunting for Impacket (wmiexec.py)<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/SecureAuthCorp\/impacket\/blob\/master\/examples\/wmiexec.py\" target=\"_blank\" rel=\"noopener\">Impacket&amp;#x27;s wmiexec<\/a><\/li>\n<\/ul>\n<p>DISCLAIMER: Set up of the tools and the testing environment might not be covered comprehensively within this lab. We will assume basic familiarity with Linux\/Windows command line and the ability of the reader to deploy the necessary frameworks. For that, it is recommended to follow the suggested references for the official tutorials and walkthrough published by the framework&#x27;s author.<\/p>\n<h2>Required Tools<\/h2>\n<ul>\n<li>Active Directory domain with at least one DC and workstation<\/li>\n<li>HELK (optional)<\/li>\n<li>Sysmon<\/li>\n<li>Wireshark<\/li>\n<li>Impacket<\/li>\n<\/ul>\n<h2>Walkthrough<\/h2>\n<h3>1 \u2013 Basic Execution<\/h3>\n<p>To get us started, let\u2019s perform a \u201crunas\u201d as before, spawning a Command Prompt as the \u201cAdministrator\u201d user.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/runas.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>With this context we can once again target our domain controller with the following \u201cwmic\u201d command:<\/p>\n<pre><code class=\"language-bash\">wmic \/node:dc2 process call create \u201ccalc\u201d<\/code><\/pre>\n<p>The command arguments are relatively self explanatory, but for completeness:<\/p>\n<ul>\n<li>\/node:dc2 \u2013 we\u2019re targeting our DC2 host.<\/li>\n<li>process \u2013 we\u2019re selecting the alias for Win32_Process<\/li>\n<li>call \u2013 as opposed to other methods used to query values (e.g. get), we\u2019re executing a method.<\/li>\n<li>create \u2013 we\u2019re creating a new instance<\/li>\n<li>\u201ccalc\u201d \u2013 the process that\u2019s going to be executed. This could be extended to \u201ccmd \/c [command]\u201d to execute arbitrary commands.<\/li>\n<\/ul>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/wmic.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Running the command, we can see it\u2019s been successful and has provided us with the Process ID of the newly-spawned calc. Viewing the Task Manager on the target host, we can see the process running.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/calc-process-from-wmic.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<h3>2- Detection<\/h3>\n<p>Much like PsExec, in terms of logs from the source host, we\u2019re expecting to see the following:<\/p>\n<ul>\n<li>EID 4648 \u2013 If we needed to authenticate as an alternative user, in our case this was the \u201cAdministrator\u201d user.<\/li>\n<li>EID 1\/4688 \u2013 A new process of \u201cwmic\u201d was created (as seen below)<\/li>\n<li>EID 5\/4689 \u2013 Our process terminated.<\/li>\n<\/ul>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/source-execute.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>If we turn our attention to the target host, the first thing we can observe is the process creation of our \u201ccalc\u201d.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/calc-sysmon-2.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>The most important thing to note here is the parent-child relationship. We have our process spawning from a parent of \u201cC:\\Windows\\System32\\wbem\\WmiPrvSE.exe\u201d and the parent command line includes the \u201c-secured -Embedding\u201d flags. An initial strategy we could adopt here is to hunt for the processes that have spawned from parents with these arguments, potentially filtering for least frequent occurrences.<\/p>\n<h3>3- wmiexec variation<\/h3>\n<p>Now, let\u2019s look at the Impacket variation of this, wmiexec. This is a python utility that allows us to leverage WMI to execute commands or obtain a semi-interactive shell. As in the screenshot below, we can run the following command to obtain a shell on our target host:<\/p>\n<pre><code class=\"language-bash\">python wmiexec.py [domain]\/[user]@[target-host]<\/code><\/pre>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/impacket-0.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>We can add an additional argument to the end of this to execute a specific command, similar to what we did with wmic, but in the above example we\u2019re spawning a shell and executing our \u201cwhoami\u201d command. Let\u2019s look at the process creation events this produces.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/impacket-1-created-processes.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Analysing the \u201cCommandLine\u201d entries from our EID 1\/4688s, we can see a distinct pattern.<\/p>\n<pre><code class=\"language-bash\">cmd.exe \/q \/c [command] 1&gt; \\\\127.0.0.1\\admin$\\__[file] 2&gt;&amp;1<\/code><\/pre>\n<p>Immediately, we can see an opportunity to hunt for processes with this pattern that are spawned from our WmiPrvSE.exe parent process, with the flags we saw before.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/wmi-process-tree.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>We also have detection opportunities based on the object access telemetry we\u2019ve leverage in previous labs. If we filter for 5145 events involving our target host\u2019s admin$ share, we can see the following.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/5145s.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>In this case we have two source IP addresses, 127.0.0.1 and 192.168.22.100. The former, of course is our local host. We can see two access masks here, the most notable is 0x2. From the C3 lab, we know this is a WriteData mask, and is almost certainly the event produced when our wmiexec command pipes its output into a file in the &quot;C:\\Windows&quot; directory.<\/p>\n<p>The latter IP address, 192.168.22.100, happens to be our attacker host in this environment. We can see two masks of interest:<\/p>\n<ul>\n<li>0x1 \u2013 The ReadData mask.<\/li>\n<li>0x10080 \u2013 The DELETE mask and the ReadAttributes masks combined.<\/li>\n<\/ul>\n<p>If we read through these logs chronologically, we can see a high-level flow of:<\/p>\n<ul>\n<li>The local host writes data to the file.<\/li>\n<li>The remote host reads the data.<\/li>\n<li>The remote host deletes the file.<\/li>\n<\/ul>\n<p>As we observed with PsExec, there are many customisation options that we should consider when building and evaluating our detections. With wmiexec specifically, reviewing the help output below, we can see two options immediately. We could use the \u201cnooutput\u201d flag to prevent output being written and subsequently read from the share, and we could also change which share we use for this purpose.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/wmiexec-options.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<h3>4 \u2013 Network Detection<\/h3>\n<p>In Riccardo Ancarani\u2019s <a href=\"https:\/\/riccardoancarani.github.io\/2020-05-10-hunting-for-impacket\/#wmiexecpy\" target=\"_blank\" rel=\"noopener\">blog<\/a> on hunting for impacket, we also see another avenue for detection. We could inspect the network traffic between our source and target host. For the purposes of our lab, we can perform this by simply running WireShark, or similar, while carrying out our wmiexec commands.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/impacket-1-wireshark-edit.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>The first thing we can observe is the Distributed Computer Environment Remote Procedure Calls (DCERPC) between our two hosts. We can \u2018follow\u2019 the TCP stream using the option shown below:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/tcp-stream.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Here we can observe the interaction between the hosts in plain-text. Without going too deep here, we can see a reference to the Win32_Process <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/cimwin32prov\/win32-process\" target=\"_blank\" rel=\"noopener\">alias<\/a> from the native \u201cwmic\u201d command we executed at the start of the lab. We can also observe the GUID entry, {8502C566-5FBB-11D2-AAC1-006008C78BC7}, which correlates to the CIM_Process DCOM <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/cimwin32prov\/cim-process#syntax\" target=\"_blank\" rel=\"noopener\">object<\/a>.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/guid-edit.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>As we continue through the interaction between the two hosts, we can see a reference to the Win32_ProcessStartup <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/cimwin32prov\/win32-processstartup#main\" target=\"_blank\" rel=\"noopener\">object<\/a>. Reading through Microsoft\u2019s MSDN article on the object we see:<\/p>\n<p>The Win32_ProcessStartup abstract WMI class represents the startup configuration of a Windows-based process. The class is defined as a method type definition, which means that it is only used for passing information to the Create method of the Win32_Process class.<\/p>\n<p>Immediately after the reference to Win32_ProcessStartup, we can see our wmiexec command following the specific command structure we identified previously.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/impacket-2-wireshark-edit.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>While we won\u2019t take this any further in this lab, we could look to create an IDS alert (using something like Snort, Zeek or Suricata) to alert us when hosts attempt to move laterally using WMI.<\/p>\n<h2>Conclusion<\/h2>\n<p>In this fifth and final lab of the Discovery and Lateral Movement workshop we covered how an attacker could make use of WMI both using the native \u201cwmic\u201d executable, and a tool such as Impacket\u2019s wmiexec.<\/p>\n<p>We noted that what we\u2019re seeing from wmiexec is customisable within our offensive tooling, and that the EID 1 process creation events with a very specific command line structure are a great indicator, but not infallible.<\/p>\n<p>It\u2019s also worth mentioning that, while we didn\u2019t explore it here, integration with attacker frameworks see\u2019s similar outcomes to what we observed from the PsExec module in MetaSploit; for example, PowerShell one-liners (hello EID 4104s!) spawning from the \u201cWmiPrvSE.exe\u201d process. It\u2019s left as an exercise to explore these possibilities.<\/p>\n<p>The main takeaways from this final lab are:<\/p>\n<ul>\n<li>Parent-child process relationships with \u201cWmiPrvSE.exe\u201d<\/li>\n<li>The process creation command line arguments observed from Impacket\u2019s wmiexec.<\/li>\n<li>The ADMIN$ share access that facilitates our semi-interactive shell.<\/li>\n<li>The network artefacts we can observe by capturing the traffic between our two test hosts.<\/li>\n<\/ul>\n<\/div>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-5\/&#038;title=Attack%20Detection%20Fundamentals:%20Discovery%20and%20Lateral%20Movement%20&#8211;%20Lab%20#5\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Jaa LinkedIniss\u00e4\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals: Discovery and Lateral Movement &#8211; Lab #5&#038;url=https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-5\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Jaa X:ss\u00e4 (Twitter)\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                        <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-cta-banner edwp-block js-wp-block-cta-banner wp-block-cta-banner--style-icon wp-block-cta-banner--no-image layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cta-banner__container\">\n        <div class=\"wp-block-cta-banner__box row-load\">\n            <div class=\"wp-component-content wp-component-content--help-text wp-component-content--dark wp-block-cta-banner__content\">\n                        <div class=\"wp-component-content__inner\">\n                <h2 class=\"wp-component-heading text--h2 wp-component-heading--dark wp-component-content__title\">\n    What <span class=\"blue-text\">next?<\/span><\/h2>                                    <div class=\"wp-component-content__content wysiwyg wysiwyg--dark\">\n                        <div class=\"wp-component-paragraph wp-component-paragraph--dark\">\n    <p class=\"text--p-medium\">Discover WithSecure\u2122 Elements Exposure Management.<br \/>\n&#8211; No credit card required. No obligations.No complexity.<\/p>\n<\/div>\n                    <\/div>\n                            <\/div>\n                            <div class=\"wp-component-content__buttons\">\n                <a class=\"wp-component-button btn btn--primary btn--dark\" href=\"https:\/\/www.withsecure.com\/en\/contact-us\/\">Contact us<\/a>            <\/div>\n                <\/div>                    <\/div>\n    <\/div>\n<\/section>\n\n\n\n\n<section\n    class=\"wp-block-cards edwp-block wp-block-cards--col-3 js-wp-block-cards wp-block-cards--show-overflow wp-block-cards--auto-slides-per-view layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cards__container\">\n        <div class=\"wp-component-content wp-component-content--default wp-block-cards__content\">\n            <h2 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Related <span class=\"blue-text\">Labs content<\/span><\/h2>                    <div class=\"wp-component-content__inner\">\n                                    <div class=\"wp-component-content__content wysiwyg\">\n                        <div class=\"wp-component-paragraph \">\n    <p class=\"text--p-medium\"><span data-teams=\"true\">Find related content relating to this topic.<\/span><\/p>\n<\/div>\n                    <\/div>\n                                                            <\/div>\n                <\/div>                            <div\n                class=\"swiper wp-block-cards__swiper js-wp-block-cards-swiper\"\n                data-slides-per-view-desktop=\"auto\"\n                data-slides-per-view-tablet=\"auto\"\n                data-slides-per-view-mobile=\"auto\"\n            >\n                <div class=\"swiper-wrapper wp-block-cards__swiper-wrapper row-load\">\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">On 4th August 2023, WithSecure Detection and Response Team (DRT) received an alert regarding spoofed process injection with abnormal memory characteristics on a host belonging to a WithSecure Countercept MDR customer.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/darkgate-rises\/\">Lue lis\u00e4\u00e4<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Reverse engineering a Lumma infection<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Lumma is an information stealer that the WithSecure Detection and Response Team (DRT) have encountered several times. It has seen wider use over the past couple of years, and makes for an interesting threat to monitor.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/reverse-engineering-a-lumma-infection\/\">Lue lis\u00e4\u00e4<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">AI security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Machine learning-driven malware analysis<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">With the rapid emergence of new malware variants, accurately classifying and attributing malware samples has become more challenging than ever<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/machine-learning-driven-malware-analysis\/\">Lue lis\u00e4\u00e4<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                    <\/div>\n                <div class=\"wp-block-cards__nav fade-in\">\n                    <div class=\"wp-block-cards__pagination js-wp-block-cards-pagination\">\n                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-prev\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-next\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                <\/div>\n            <\/div>\n                                    <\/div>\n<\/section>\n","protected":false},"excerpt":{"rendered":"<p>For this final lab, we\u2019re going to be taking a look at lateral movement using Windows Management Instrumentation, or WMI<\/p>\n","protected":false},"author":3,"featured_media":0,"template":"","categories":[302,326,342],"labs_content_type":[305],"class_list":["post-10568","lab_item","type-lab_item","status-publish","hentry","category-attack-detection","category-endpoint-security","category-network-security"],"acf":[],"card":"<div class=\"wp-component-card-insight js-card-link wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg\" class=\"wp-component-card-insight__image\" alt=\"\" decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg 618w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-300x214.jpg 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-447x318.jpg 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-205x146.jpg 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Endpoint Security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Network Security<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Attack Detection Fundamentals: Discovery and Lateral Movement &#8211; Lab #5<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">For this final lab, we\u2019re going to be taking a look at lateral movement using Windows Management Instrumentation, or WMI<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/attack-detection-fundamentals-discovery-and-lateral-movement-lab-5\/\">Lue lis\u00e4\u00e4<\/a>            <\/div>\n            <\/div>\n<\/div>","_links":{"self":[{"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/lab_item\/10568","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/lab_item"}],"about":[{"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/types\/lab_item"}],"author":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/users\/3"}],"wp:attachment":[{"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/media?parent=10568"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/categories?post=10568"},{"taxonomy":"labs_content_type","embeddable":true,"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/labs_content_type?post=10568"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}