Black & White Path

May 10, 2026 · Information Security

Bypassing Traditional WMIExec Detection with a File‑less WMI Lateral Movement Technique

The article dissects a stealthy, file‑less WMI lateral movement method that avoids the obvious Win32_Process.Create signature by hijacking stopped LocalSystem services, leveraging the LOLBIN ScriptRunner.exe to execute remote SMB scripts, automatically restoring the service and leaving minimal forensic traces.