top of page
Search

Tracking Lateral Movement: PowerShell Remoting, WMIC, Explicit Credentials, NTLM Relay Attacks, Credential Theft and Reuse (Event IDs)

  • 53 minutes ago
  • 7 min read
ree

Welcome back, folks!

If you’ve been following this series, I’ve already covered how attackers move laterally using things like named pipes, scheduled tasks, services, and registry modifications and more .Now it’s time to unpack some classic but still dangerous remote execution tricks — and how to actually hunt them down using Windows logs.


-------------------------------------------------------------------------------------------------------------

PowerShell Remoting & WMIC — Attackers’ Favorite “Admin Tools”

Here’s the deal: not every network logon (Event ID 4624, Type 3) means RDP or SMB. Sometimes, those logons come from administrative tools being misused for remote execution — particularly PowerShell Remoting, WMIC, or WinRS.


Attackers love these tools because:

  • They’re already installed on almost every Windows machine.

  • They blend in perfectly with normal IT activity.

  • And they use legitimate protocols (WinRM or RPC), which defenders often ignore.


WMIC (Windows Management Instrumentation Command-Line)

The WMIC /node: command lets you run commands remotely using RPC. When someone runs this:

wmic /node:cyberengage.svr process call create "cmd.exe /c C:\Public\HackBloodHound.exe"

Windows creates a WmiPrvSE.exe process on cyberengage.svr to execute that command.


Detection tip: If you see WmiPrvSE.exe spawned unexpectedly — especially running a strange command or launching tools like PowerShell, cmd.exe, or unknown binaries — that’s a huge red flag.
Log relationships to remember:

  • Event ID 4624 (Type 3) → Remote network logon

  • Parent process: WmiPrvSE.exe

  • Child process: The command being executed (cmd.exe, powershell.exe, etc.)

  • Use Sysmon Event ID 1 (Process Creation) or 4688 (Security Log) to tie it all together.



PowerShell Remoting (WinRM)

PowerShell remoting uses the WinRM service to execute PowerShell commands on remote systems. When an attacker runs:

Enter-PSSession -ComputerName cyberengage.svr -Credential Administrator

or

Invoke-Command -ComputerName cyberengage.svr -ScriptBlock { Start-Process C:\Public\HackBloodHound.exe }

On the target endpoint , you’ll see WSMProvHost.exe kick in. That’s the host process responsible for remote PowerShell sessions.


Detection tip: In your EDR or Sysmon data, look for WSMProvHost.exe as a parent of suspicious child processes (like cmd.exe, powershell.exe, rundll32.exe, etc.).
Log indicators:

  • Event ID 4624, Logon Type 3 (network logon)

  • Parent process: WSMProvHost.exe

  • Sysmon Event ID 1 → shows the actual command line executed remotely.



WinRS (Windows Remote Shell)

This one’s often overlooked but used heavily by adversaries. winrs.exe works over the same WinRM protocol as PowerShell remoting — but it directly runs programs instead of PowerShell commands.


Example:

winrs -r:cyberengage.svr "C:\Public\HackBloodHound.exe"

This will launch WinrsHost.exe on cyberengage.svr, which spawns cmd.exe → executes the malicious payload.


Detection stack:

  • Event ID 4624, Logon Type 3

  • Process chain: svchost.exe → WinrsHost.exe → cmd.exe → HackBloodHound.exe

  • Sysmon Event ID 1 to capture command-line parameters.


-------------------------------------------------------------------------------------------------------------


Explicit Credentials — Watching Attackers Switch Keys

The most underrated event types: 

Event ID 4648 — “A logon was attempted using explicit credentials.”

Here’s what that means: Someone (or something) explicitly provided a username/password to run a command — instead of using cached credentials from their current logon session.

So when attackers use tools like:

runas /user:Administrator cmd.exe
psexec -u cyberengage.org\user -p Welcome123 \\cyberengage.svr cmd.exe

or use Cobalt Strike modules that specify credentials — you’ll get a 4648 event.

What makes this event gold for defenders is that it’s logged on the source system — the machine the attacker is coming from, not just the one they’re moving to.

That means you can finally track the attack chain backwards — see where lateral movement originated.


How to Investigate 4648s

  • 4624 Logon Type 9 = Successful logon with explicit credentials

  • 4648 = “Tool used explicit credentials” (even if it’s the same user account)

  • If you see a 4648 → look at:

    • “Target Server” field — if it shows localhost, it’s inbound; if it shows another host, it’s outbound.

    • The username and process that initiated it.

    • The timestamp — match it against process creation or PowerShell logs.


Pro tip:

Filter out the noise (computer accounts, M365 services, etc.) — what remains is almost always either:

  • Admins doing maintenance, or

  • Attackers moving laterally


-------------------------------------------------------------------------------------------------------------

NTLM Relay Attacks — Spotting the Subtle Network Trick

Now, for the fun part. NTLM relay attacks don’t “crack” passwords — they just reuse authentication requests to trick another system into accepting them.


So what happens in the logs?

Event ID 4624 on Server will show:

  • Workstation Name: Client

  • Source Network Address: IP of Server


That mismatch is your giveaway.

This “split identity” is a strong sign of NTLM relay in action.


To confirm:

  • Correlate the IPs — is the workstation name and source IP inconsistent?

  • If DHCP is used, grab DHCP lease logs to confirm which IP belongs to which device.

  • NTLM relay attacks often accompany SMB traffic anomalies (e.g., access to ADMIN$, IPC$ shares.


-------------------------------------------------------------------------------------------------------------

Combined Up

Recap:

Technique

Key Parent Process

Log/Event IDs

Detection Clue

WMIC

WmiPrvSE.exe

4624 (Type 3), Sysmon 1

Suspicious child processes

PowerShell Remoting

WSMProvHost.exe

4624, Sysmon 1

PowerShell remote commands

WinRS

WinrsHost.exe

4624

Command execution via WinRM

Explicit Credentials

varies

4648, 4624 Type 9

Source-based credential use

NTLM Relay

N/A

4624

Workstation name ≠ IP address

-------------------------------------------------------------------------------------------------------------


Credential Theft and Reuse

Credential theft and reuse attacks often exploit weaker encryption types and legacy authentication protocols (NTLM) to move laterally through a Windows domain.

Key detection points lie in Kerberos event IDs (4768, 4769) and NTLM authentication logs (4624, 4776).

1. Abuse of Weak Kerberos Encryption (RC4-HMAC-MD5)

Attackers often force the use of weaker encryption types to speed up offline password cracking or perform “Overpass-the-Hash” (pass-the-key) attacks.


Common Scenarios:

Attack Type

Description

Key Event ID(s)

Detection Indicator

Kerberoasting

Attackers request service tickets encrypted with weak RC4-HMAC-MD5 to brute-force service account passwords offline.

4769

Encryption Type: 0x17 or 0x18

Overpass-the-Hash

Attackers use a stolen NT hash to request a TGT using RC4 encryption.

4768

Encryption Type or (post-Jan 2025) Session Type: 0x17 / 0x18


Key Log Artifacts:

  • Event ID 4769 – Service Ticket Request

    Ticket Encryption Type: 0x17 (RC4-HMAC-MD5)

  • Event ID 4768 – TGT Request

    Ticket Encryption Type: 0x17 Session Encryption Type: 0x17

    (Post-Jan 2025 patch introduces more fields for encryption visibility.)


Why RC4 Matters

  • RC4-HMAC-MD5 (0x17) is a legacy encryption type.

  • AES128 (0x11) or AES256 (0x12) are default for modern environments.

  • Seeing frequent 0x17 or 0x18 tickets → highly suspicious, unless legacy systems exist.



Defender Tip:

Hunt for Event IDs 4768/4769 where Encryption Type = 0x17 or 0x18.Filter out legacy systems, then review recent TGS/TGT requests by privileged or service accounts.


2. NTLM and Pass-the-Hash Detection

Even with Kerberos as the default protocol, NTLMv2 authentication still appears — especially in legacy or IP-based connections. Attackers exploit NTLM through pass-the-hash, relay, or forced authentication attacks.


Detection via Logs:

Log Type

Event ID

Description

Account Logon

4776

NTLMv2 authentication attempt

Logon Success (Network)

4624

Check for Authentication Package: NTLM and Package Name (NTLM only): NTLM V2

Normal vs Suspicious:

  • Normal: Kerberos authentication seen (Package Name: -)

  • Suspicious: NTLMv2 used on systems that normally use Kerberos(e.g., sudden NTLMv2 activity on domain controllers or file servers)


Sample 4624 Log (NTLMv2)
Detailed Authentication Information:
  Logon Process: NtLmSsp
  Authentication Package: NTLM
  Package Name (NTLM only): NTLM V2
  Key Length: 128
Hunt Strategy:

  • Look for unusual NTLMv2 authentications in Event IDs 4624 / 4776.

  • Correlate with 4648 (Explicit Credentials) or 4624 Logon Type 9 to trace the origin.

  • Watch for sudden NTLMv2 spikes or logons to unfamiliar hosts.



3. Post-Jan 2025 Microsoft Patch — What Changed?

Microsoft’s January 2025 update enhanced Event ID 4768 and 4769 logs:

  • Added new fields:

    • Session Encryption Type

    • Pre-Authentication Encryption Type

    • Long-Term Key Type visibility

  • Enables defenders to differentiate client-supported encryption vs DC-issued encryption.

  • Greatly improves detection of RC4 downgrade or forced-weak encryption scenarios.



4. Other Lateral Movement Indicators

Technique

Event ID

What to Look For

Credential switching (RunAs)

4648

Logs explicit use of credentials; indicates lateral move origin

Logon Type 9 (NewCredentials)

4624

Indicates session initiated with explicit credentials

Delegation abuse

4624 + abnormal access patterns

Delegated service accounts connecting to new/unexpected systems

Coercion/NTLM Relay

4624

Mismatch between Workstation Name and Source Network Address


Quick Hunt Queries (SIEM Examples)

Kerberoasting

SecurityEvent
| where EventID == 4769
| where TicketEncryptionType in ("0x17", "0x18")
| project TimeGenerated, TargetUserName, ServiceName, TicketEncryptionType

Overpass-the-Hash

SecurityEvent
| where EventID == 4768
| where SessionEncryptionType in ("0x17", "0x18") or TicketEncryptionType in ("0x17", "0x18")
| project TimeGenerated, TargetUserName, IpAddress, Computer

NTLMv2 Usage

SecurityEvent
| where EventID == 4624 and AuthenticationPackageName == "NTLM"
| project TimeGenerated, TargetUserName, IpAddress, WorkstationName

-------------------------------------------------------------------------------------------------------------

Summary

Attack Type

Key Event IDs

Indicator

What It Means

Kerberoasting

4769

RC4-HMAC-MD5 (0x17)

Weak encryption used for service tickets

Overpass-the-Hash

4768

RC4-HMAC-MD5 (0x17)

TGT requested using NT hash

Pass-the-Hash

4624, 4776

NTLMv2 logons

Reuse of stolen NTLM hash

Credential Switching

4648, 4624 (Type 9)

Explicit credentials

Lateral movement initiation

NTLM Relay

4624

Hostname-IP mismatch

Relayed authentication

-------------------------------------------------------------------------------------------------------------


Bonus:


Abuse of Administrative Credentials & Tools

Once attackers compromise high-privileged accounts like Domain Admins or service accounts, they effectively inherit legitimate administrative rights — becoming "unpaid administrators."

They can now:

  • Control much of the environment (domain, servers, endpoints).

  • Use legitimate tools for remote management and execution such as:

    • RDP, VNC, PowerShell, PsExec, WMIC, and Group Policy.

    • Patch management and software deployment tools to push malicious payloads.


Detection & Defense

  • Restrict and monitor accounts used for deployment.

  • Use unique accounts (not Domain Admins) for patching.

  • Limit deployment windows (detect off-hour use).

  • Maintain decoy/test systems to log and analyze deployment activities.

  • Watch for unexpected GPO changes or new deployment tasks.


Lateral Movement via Vulnerability Exploitation

When credentials aren’t available or remote access is blocked, attackers turn to exploiting vulnerabilities to move laterally.


Trends

  • Vulnerability exploitation is on the rise — both for initial access and lateral movement.

  • Zero-days increasingly used by state-sponsored actors.



Detection Methods

  • Crash / Exploit Detection:

    • Event logs showing crashes or memory corruption.

    • Microsoft Exploit Guard / antivirus telemetry.

  • Process Creation Monitoring (Event ID 4688):

    • Detect abnormal parent-child process chains (e.g., IIS worker spawning cmd.exe).

    • Watch for code injection, new handles, and unusual command shells.

  • Application control / EDR logs.

  • Threat intelligence to track newly exploited vulnerabilities.

  • Memory forensics for hidden or injected processes.




-------------------------------------------------------------------------------------------------------------


Wrapping up:

Effective lateral movement detection hinges on visibility, context, and restraint of privilege. Attackers exploit legitimate pathways; defenders must therefore combine behavioral monitoring, account segregation, and timely patching to break the chain before impact.


-------------------------------------------Dean----------------------------------------------------------

 
 
 
bottom of page