Last Post

Due to changes in the Microsoft Corporate Blogging Policy, all of my existing content has been moved to https://nathangau.wordpress.com. I will also be posting new content to that location. Thank you for your understanding.

0

Security Monitoring–Additional PowerShell Detections Addendum

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. This is a follow up article to this piece that I wrote in early September. Not surprisingly, there was some noise in my initial lab tests….

0

Security Monitoring–Using SCOM to Detect Legacy TLS Protocol Usage

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. This has been on my bucket list for a while now, and I finally got around to figuring it out. TLS is a transport layer protocol…

0

Security Monitoring–Additional PowerShell Detections

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. Note that there is an addendum to this piece for override purposes. That can be found here. A colleague of mine turned me on to this…

4

Security Monitoring–Configuring SCOM to alert on attempts to kill Windows Defender

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. This is just a quick update to the next revision of Security Monitoring. If you don’t use Windows Defender, this will not generate any alerts, and…

0

Security Monitoring–Using SCOM to Detect Executables Run in Writeable OS Directories Part 2

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. You can find part 1 here. ***Please Read This First*** I need to preface this article by simply saying that this is the type of thing…

0

Security Monitoring–Using SCOM to Detect Executables Run in Writeable OS Directories Part 1

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. I had the privilege of attending Microsoft Ready this last July. That allowed for some very useful networking. In this case, I got to speak a…

2

Security Monitoring–Updating Service Created on DC Rule

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. One piece of feedback that I’ve seen in regards to security monitoring is noise due to services created on a domain controller. In general, this should…

0

Security Monitoring–Updating Scheduled Task Creation Rule

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. One piece of feedback I’ve gotten is that monitoring the creation of scheduled tasks as well as service creation on domain controllers can get a bit…

0

Securing SCOM in a Privilege Tiered Access Model–Part 3

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. You can find Part 1 here. You can find Part 2 here. In summary, we went over various security concerns deploying SCOM. Although there are a…

2