How does wmic enable remote command execution for lateral movement?

wmic can execute programs on remote systems using the `Win32_Process::Create` method. The syntax is: `wmic /node:<IP> /user:... /password:... process call create "command"`. For example, `wmic /node:192.168.1.1 /user:administrator /password:123456 process call create "calc"` launches Calculator on the remote host. This is a common technique for lateral movement, as it allows attackers to run arbitrary binaries without needing RDP or other services. The Penetration Basics - Usage of WMIC article provides additional examples.