Lateral Movement in the Lab: SMB, WMI and WinRM with a Detection Focus

Lateral movement is not magic: it is an attacker reusing valid credentials inside legitimate protocols. In our GOAD lab with three Windows Server 2019 boxes and a Windows 10 client joined to sevenkingdoms.local, we pivoted from a workstation to the DC in under eight minutes using only SMB, WMI and WinRM. The goal here is not to drill pivot after pivot, but to show where each technique screams in the logs and how to write the detection before the real incident. If you have not built your environment yet, start with Active Directory Pentest: Step-by-Step Kerberoasting in a GOAD Lab to get the ground ready.

We kicked off with classic SMB through impacket-psexec and smbexec. After grabbing an NTLM hash via Responder, we ran psexec.py sevenkingdoms.local/jaime@10.0.10.10 -hashes :aad3b... and landed as SYSTEM. The noise here is massive: RemComSvc service creation under Event ID 7045, binary write to ADMIN$ triggering Event ID 5145 with share name ADMIN$ and a RelativeTargetName ending in a random .exe. The Sigma rule stays short: filter 7045 where ServiceFileName matches eight random alphanumeric chars followed by .exe and you catch 90 percent of psexec variants without ever touching binary signatures.

WMI shifts the logging surface. Using impacket wmiexec.py or a direct Invoke-WmiMethod, the child process spawns from WmiPrvSE.exe rather than services.exe. In Sysmon this shows up as Event ID 1 with ParentImage=C:\Windows\System32\wbem\WmiPrvSE.exe and CommandLine containing cmd.exe /Q /c which is the textbook wmiexec fingerprint. Pair that with Event ID 3 (network connection) leaving the target on port 445 to ship output back, and your confidence is high. For broader LOLBin abuse hunting, revisit Hunting Living-off-the-Land Binaries on Windows with KQL and adapt the queries to your stack.

WinRM is the modern operator favorite because it looks like legitimate admin traffic. We fired Enter-PSSession -ComputerName dc01 -Credential $cred and remote Invoke-Command. Indicators land in three places: Microsoft-Windows-WinRM/Operational Event ID 91 (session created), Security Event ID 4624 with LogonType 3 and AuthenticationPackage Negotiate, and Sysmon Event ID 1 with ParentImage=wsmprovhost.exe. A solid Sigma rule correlates wsmprovhost.exe as a parent of any process that is not conhost.exe or csrss.exe within a five minute window, killing the PowerShell DSC baseline noise.

The part nobody tells you: detecting a single technique is easy; detecting the whole chain is what matters. We built an Elastic playbook that links Responder hit -> hash crack -> first Type 3 logon with an NT hash on a host that user never touched before -> wsmprovhost or WmiPrvSE spawn within ten minutes. That temporal correlation cut false positives from 40 alerts a day to 2 per week in our simulated lab. If you are starting fresh with Sigma and Elastic, Threat Hunting with Sigma and Elastic: From Indicator to Detection Rule covers the ELK plus sigmac pipeline we use as the baseline.

Remember all of this assumes decent telemetry. Without Sysmon running an Olaf or SwiftOnSecurity config, without PowerShell Script Block Logging on (Event ID 4104), and without collecting the WinRM and WMI-Activity channels, your Sigma rules become poetry. In GOAD we shipped a minimal GPO that flips those four switches on every host; the same baseline we recommend in Windows 11 Hardening for High-Risk Offensive Security Workstations for corporate endpoints. Telemetry first, rule second, always in that order, otherwise you are detecting the attacker by the silence of logs that never arrive.

Finally, researcher OPSEC: lateral movement labs generate hashes, kerberos tickets and samples that cannot leak into your real workstation. We always work in isolated host-only VMs, with snapshots before every run, and we never reuse passwords between lab and personal production. For a wider view of research environment isolation, OPSEC for Security Researchers: Building a Personal Threat Model lays out the model we adopted. Practical takeaway: pick one technique this week (we suggest WMI because it is the most under-detected), reproduce it in GOAD, write the Sigma rule, validate with Atomic Red Team T1047, and only then move on. Short cycle, real detection.