BruCON 0x0B has ended
Thursday, October 10 • 16:30 - 17:30
Catching WMI lateral movement in an enterprise network

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Soc analysts face a tough job every day to keep their detection capabilities up with  latest vulnerabilities and threats.
What to start looking for? Where in the network? What about risk of False positives? How frustrating if we missed an attack!

It’s not just about catching the latest, though. For example Windows management instrumentation (WMI). It ’s built right into Windows for years and has become more and more prevalent to attackers. Many administrators and attacker’s love WMI.
Much can be found on its use, however very little seems to be documented on how to detect it on a network level. We gave it a shot.

In this talk, we will have a quick overview on Windows management instrumentation (WMI), our first naive approach to detect it’s usage, the challenges we faced, lessons learned and results.

Part of the results are custom IDS (snort) fingerprints, with some tweaking, could fit your environment. As next step we would like to share it with you. So let’s improve together!

avatar for Jaco Blokker

Jaco Blokker

Educated as chemical engineer and witnessed a huge explosion at a chemical plant on the last day at his internship 23 years ago,  Blokker opted for a more secure life within KPN’s ISP’s operational and development teams as system administrator and security officer.  Six years... Read More →

Thursday October 10, 2019 16:30 - 17:30 CEST
01. Westvleteren University