07 - BruCON 0x0B - Catching WMI lateral movement in an enterprise network - Jaco Blokker

Опубликовано: 07 Апрель 2025
на канале: BruCON Security Conference

558

Soc analysts face a tough job every day to keep their detection capabilities up with latest vulnerabilities and threats.
What to start looking for? Where in the network? What about risk of False positives? How frustrating if we missed an attack!

It’s not just about catching the latest, though. For example Windows management instrumentation (WMI). It ’s built right into Windows for years and has become more and more prevalent to attackers. Many administrators and attacker’s love WMI.
Much can be found on its use, however very little seems to be documented on how to detect it on a network level. We gave it a shot.

In this talk, we will have a quick overview on Windows management instrumentation (WMI), our first naive approach to detect it’s usage, the challenges we faced, lessons learned and results.

Part of the results are custom IDS (snort) fingerprints, with some tweaking, could fit your environment. As next step we would like to share it with you. So let’s improve together!