Credential theft attacks underpin a large portion of the lateral movement performed by modern adversaries. Tools like BloodHound (https://github.com/BloodHoundAD/BloodHound) or DeathStar (https://github.com/byt3bl33d3r/DeathStar) help automate the process of locating systems where users with privileged credentials are currently logged on to facilitate attackers gaining access to those systems, leveraging local administrator permissions, and stealing the stored privileged credentials. Once privileged credentials are obtained, it is much easier for an attacker to move freely about the environment. Domain or enterprise credentials will frequently allow the attacker to jump to additional data silos, such as remote offices or cloud resources.

Given the fact that interactive logons present such a high risk, we will spend this chapter looking at other mechanisms to access remote systems in a noninteractive manner to conduct remote triage.

Windows Management Instrumentation Command‐Line Utility

Windows Management Instrumentation (WMI) allows administrators, or incident handlers, to retrieve granular data about Windows systems and perform operations on those systems remotely. WMI consists of numerous classes to describe and manage IT systems. These classes can be accessed programmatically, with VBScripts being a historically common mechanism to do so. Microsoft also created a command‐line interface to interact with WMI classes, known as the Windows Management ...