The wmiexec command uses COM to execute a process on the localhost or a target host. Usually, WMI is executed via powershell or wmic.exe, but Microsoft provides COM DLLs which can be used to interact with COM objects. Badger provides set_wmiconfig, get_wmiconfig and reset_wmiconfig to configure the wmi namespace, domain, username and password to interact with remote system. The below figure shows an example of local process creation for the process notepad.exe.
The above figure shows that the parent process is different after creating the process, even though we did not do PPID Spoofing. The reason behind this is COM. When you use COM objects to interact with the WinAPI calls, most of the tasks are performed with WmiPrvSE.exe instead of your own process. A quick look at Sysmon Logs show that notepad.exe was indeed created by WmiPrvSE.exe.
And further going down the rabbit hole shows that WmiPrvSE.exe was launched by DCOM and there is no parent process for it as it was launched by the COM Server.
The WMIExec command can also be used for remote process creation and lateral movement. Below is an example of lateral movement over SMB without creating a new service on the target host. The below figure can be explained as follows:
Note that processes on remote hosts are also created by the COM Server, so your badger would never be a parent process in this case (OPSEC much?).