Hunting for Lateral Movement via WMI Overview Windows Management Instrumentation (WMI) is commonly abused for lateral movement via or Win32 Process.Create() to execute commands on remote hosts. Detection focuses on identifying WmiPrvSE.exe spawning child processes (cmd.exe, powershell.exe) in Windows Security Event ID 4688 and Sysmon Event ID 1 logs, along with WMI-Activity/Operational events (5857, 5860, 5861) for event subscription persistence. When to Use - When investigating security incidents that require hunting for lateral movement via wmi - When building detection rules or threat hunt…