Pular para o conteúdo principal
Close
Security

The Honest Mistake: Lateral Movement via WMI That Bypassed 47 Micro-Segmentation Policies

Gabriel Ferraresi· CEO | Tech86July 2, 20264 min
securitylateral-movementwmimicro-segmentationincident-response

We almost missed a lateral movement attack during an incident response. We were focused on the initial access vector — the phishing, the compromised credential, how the attacker got in. It was the obvious. It was what everyone wanted to know. But the obvious is exactly what blinds an IR team.

The obvious that blinds: focus on initial access

At Tech86, we were mapping the kill chain from the point of entry. Everything made sense. The phishing led to a compromised credential, the credential led to an active session, the session led to the initial server. The narrative was clean and linear — exactly the kind of narrative that makes a team stop looking.

According to Mandiant M-Trends, the average detection time for lateral movement is 14 days. Not because lateral movement is invisible, but because IR teams prioritize initial access. The attacker gets in, the team asks "how did they get in?", and while everyone watches the front door, the attacker is already moving through the hallways. That is the pattern. We were about to repeat it.

The discovery: a second set of activities

The difference was an analyst who questioned the consensus. By crossing identity data with endpoint telemetry, they noticed: there was a second set of activities that did not belong to the same actor. Lateral movement via WMI. Passing through 47 micro-segmentation policies apparently intact.

WMI is a lateral movement vector frequently overlooked. It is legitimate, it is native to Windows, and most EDR tools do not alert on its use because it blends into normal administrative noise. According to Unit 42, 87% of incidents only become visible when you cross identity, endpoint, and cloud. We were only looking at identity and endpoint — and even then we almost missed it. The cloud layer was missing to confirm the second set of activities was real.

Policy 23 and the 18-month legacy exception

Forty-seven micro-segmentation policies apparently intact. Apparently. When we audited each one, policy 23 had an overly broad allow rule. A temporary exception created 18 months earlier, never revoked. A truck was driving through it.

Micro-segmentation is a powerful defensive architecture when implemented well. But its weak point is not the initial configuration — it is the decay over time. Temporary exceptions become permanent. Broad allow rules remain because nobody wants to break something that works. Policy 23 was created for a migration project in January 2025. The project ended in March 2025. The exception remained until July 2026. Eighteen months of an open door that nobody remembered existed.

According to Sophos X-Ops, there are documented cases of ransomware that deleted Windows Event Logs specifically to destroy lateral movement traces. The attacker does not need zero-days when the defense erases its own evidence through negligence. The legacy exception is the defensive equivalent of leaving the door open and throwing away the key.

What the data says: Mandiant, Unit 42, Sophos X-Ops

External data confirms that what we experienced was not an isolated case. According to Mandiant M-Trends, the average detection time for lateral movement is 14 days because IR teams prioritize initial access. Fourteen days is enough time for an attacker to traverse the entire infrastructure, establish persistence across multiple systems, and prepare the ground for ransomware or exfiltration.

According to Unit 42, 87% of incidents only become visible when you cross identity, endpoint, and cloud. Looking at a single layer is looking at a fraction of the picture. Lateral movement lives at the edges between layers — exactly where no individual tool looks.

According to Sophos X-Ops, there are documented cases of ransomware that deleted Windows Event Logs to destroy lateral movement traces. The attacker understands that the log is the evidence. Without logs, there is no investigation. Without investigation, there is no effective containment.

How we changed our methodology at Tech86

After this incident, we changed our methodology at Tech86. Every incident response now has a parallel lateral movement investigation track from minute zero, regardless of the entry vector. We do not wait to finish the initial access analysis to start looking for lateral movement. The two tracks run in parallel.

And every micro-segmentation policy is audited for legacy exceptions before containment. It is not enough to confirm that policies exist — we must confirm that they do what they should do, and that no temporary exception has become permanent. Exception auditing is now a mandatory step, not optional.

Learning this the hard way is what makes us better at what we do. The analyst who questioned the consensus saved that incident response. The lesson is not that we are infallible — it is that the discipline to question consensus is what separates a complete incident response from one that merely confirms what everyone already expected.

Conclusion

Lateral movement is the phase of the attack where the attacker is already inside and moving. It is the hardest phase to detect and the easiest to neglect. According to Mandiant M-Trends, 14 days is the average — and 14 days is a long time. At Tech86, we learned that the only defense against lateral movement is a parallel investigation track from minute zero, crossing identity, endpoint, and cloud, and auditing every legacy exception before containment. If you are in an incident response right now and only looking at initial access, stop. Start looking for lateral movement. The attacker is already moving.

Need expert guidance?

Schedule a consultation with our specialists.

Incident Response and Digital Forensics

Frequently Asked Questions

Lateral movement is the phase of the attack where the attacker is already inside and moving between systems to escalate privileges, establish persistence, and reach final targets. It is missed because IR teams prioritize initial access — the phishing, the compromised credential, how the attacker got in. According to Mandiant M-Trends, the average detection time for lateral movement is 14 days for exactly that reason.

Temporary exceptions become permanent when nobody revokes them. At Tech86, we found an exception created for a migration project in January 2025, never revoked, still active in July 2026 — 18 months later. The exception had an overly broad allow rule. All the lateral movement traffic via WMI was passing through it. The weak point of micro-segmentation is not the initial configuration, it is the decay over time.

According to Mandiant M-Trends, 14 days is the average detection time for lateral movement. Fourteen days is enough time for an attacker to traverse the entire infrastructure, establish persistence across multiple systems, and prepare the ground for ransomware or exfiltration. The problem is not that lateral movement is invisible — it is that teams look at the wrong place first.

According to Unit 42, 87% of incidents only become visible when you cross identity, endpoint, and cloud. Looking at a single layer is looking at a fraction of the picture. Lateral movement lives at the edges between layers — where no individual tool looks alone. Crossing all three layers is what makes lateral movement visible.

Every incident response at Tech86 now has a parallel lateral movement investigation track from minute zero, regardless of the entry vector. We do not wait to finish the initial access analysis to start looking for lateral movement. And every micro-segmentation policy is audited for legacy exceptions before containment — it is not enough to confirm that policies exist, we must confirm that they do what they should do.

Blog — Get in Touch

Have a question about our articles or services? Our team is ready to help.

Schedule a Meeting

Book a time slot.

Schedule Now

Email

Send us a message.

[email protected]

WhatsApp

Quick conversation.

Address

Avenida Paulista, 1636 - São Paulo - SP - 01310-200

Tech86 Specialist

Online now

Hello! How can we help scale your business today?

Tech86 Engineering

We Value Your Privacy

We use cookies and similar technologies to optimize your experience, analyze site traffic, and personalize content. By clicking "Accept All", you agree to the use of all cookies. Read our Privacy Policy.