Security Monitoring: Using SCOM to Detect Bypassed Authentication Package Back Door

One persistence method that an attacker can use is to modify an Operating System’s authentication packages in order to give the attacker a back door for entry into a system as desired. Auditing this behavior in SCOM turned out to be a bit trickier than I would have liked.  The key in question is HKLM\System\CurrentControlSet\Control\LSA\Authentication…

0

Security Monitoring: Detecting Wdigest Authentication

One of the noisier items in the Security Monitoring Management Pack is the monitor that triggers against all Windows 2008 R2 and below systems if the proper WDigest post patch configurations have not been applied. WDigest is another older protocol that was addressed with KB 2871997. Prior to 2008R2, Wdigest credentials remained in the LSA…

0

Security Monitoring: Using SCOM to Detect SMB1 Authentications

I think at this point, we are all aware of the dangers posed by continuing SMB1 authentication in an environment. The virus wannacry infected more than 400,000 machines and caused a number of outages across many organizations. Detecting SMB1 is unfortunately not quite as easy as some protocols. A colleague of mine, Leanne Livingstone, provided…

0

Security Monitoring: Using SCOM to detect NTLMv1 and LanManager Authentication Types

  One of the big changes in the next release of the Security Monitoring management pack will be reports designed to let administrators if they are using older protocols in their environments. It goes without saying that many older protocols are often full of vulnerabilities. As well, they tend to be on by default due…

0

A Deep Dive into Dynamic Group Calculation and How it Affects SCOM Performance

  I would first like to give a special thanks to John Mckeown and Nick Masiuk, both of whom provided major contributions to the work described below. For those that know SCOM, it isn’t necessarily the fastest application out there, particularly with console performance.  Troubleshooting that can be painful, though it can typically be traced…

3

Stupid Little Problem with SNMP Version Tags

I don’t normally get to work with SNMP, but I’ve been at a customer this week where we needed to configure SCOM to do SNMP monitoring.  This is fairly straight forward, and Kevin has written a nice article how to do that here.  I ran into an issue though with regards to removing the version…

0

SCOM Security Monitoring in Action: Detecting an Attacker

This is a fun little story today, but I got to see first hand how our security management pack works during a real, non-simulated attack.  I was pleasantly surprised by the results.  For the record I keep a couple of labs.  One is internal, blocked from the world, and I spend most of my time…

2

Using SCOM to Capture Registering Remotely Located DLL Files

  I’ve started browsing some sites that are cataloguing known attack vectors and came across this particular vulnerability that is worth discussing.  Many seasoned IT pros understand the use of RegSvr32 to register DLL files.  This executable is very integral to Windows as registers DLLs for OS and application use.  A little known flaw is…

2

Security Monitoring MP: Powershell Exploit Toolkit Rules

  In this post we will discuss using SCOM to detect various PowerShell Exploits that are commercially available for download and use.  I’d note that there are limits to this type of detection activity. First, it is worth noting that good attackers don’t use commercially off the shelf attack tools but instead recompile them to…

0