Using SCOM to Detect Scheduled Task Creation

  One well known thing that attackers like to do is to create scheduled tasks to periodically execute their payloads.  Detecting Scheduled task creation is not terribly difficult.  While it does not use the standard logs, there is an operational task scheduler log available that generates an event ID 106 whenever a scheduled task is…

0

Using SCOM to Detect Service Creation

For those that cover security, this piece of information is not all that new, but for those that happen to be SCOM administrators and not necessarily security people by trade, this might be useful. Detecting service creation is the easy part. When a service is created on a system, event ID 7045 is generated in…

0

Using SCOM to Detect Golden Tickets

For the three people that religiously read my blog, you know by now that I’ve been writing quite a bit on using SCOM to detect some of the anomalous events that are specific to an intruder in your environment.  This is the first, of what will hopefully be a few rules needed to detect the…

0

Using SCOM to Capture Events from the Forwarded Events Log

So I ran into an interesting problem the other day.  The premise was pretty simple. I have security events that are being forwarded from workstations via Windows Event Subscriptions.  The idea behind it is to avoid putting a SCOM agent on potentially thousands of workstations, but to instead look for key security events that will…

0

Using SCOM to Detect Overpass the Hash Attacks

An overpass the hash attack is another flavor of a pass the hash type attack except that the attacker is passing a key instead of an NTLM hash.  As such, it is technically a kerberos based attack.  This type of attack is useful once an environment is already compromised as the key needed for the…

0

Using SCOM to Detect WDigest Enumeration

In a recent conversation with fellow colleague Jessica Payne, it was noted that one of the most common forms of credential theft presently involves using exposed Wdigest credentials.  Wdigest, while not commonly used today, is still enabled by default in large part because of legacy applications that use it. While this was fine back in…

0

Using SCOM to Detect Pass the Ticket Attacks

  Last month, I wrote a two part series on using SCOM to detect pass the hash attacks. I’ve decided to take some time and focus on pass the ticket attacks. There isn’t a whole lot different between the two attack methods.  Both require administrative rights on the machine (and let’s face it, that is…

2

SCOM 2012 and 2016 WebConsole and FIPS Compatibility

Update:  I had the opportunity to test this on SCOM 2016 and the same procedure works. Also, I’ve uploaded GAC util as well as the SCOM DLL here as they are not on the SCOM 2016 DVD either.  You can find them here. Previous Article: _________ As a quick overview, FIPS stands for Federal Information…

0

Alert Management Tuning: The SQL Management Packs

I recently had the privilege of participating in a discussion in regards to some of the alerts generated by the SQL management pack, In so doing, that gave me an idea for a set of articles in regards to tuning specific management packs.  I don’t plan on covering each and every MP that has been…

0

Using SCOM to Detect Failed Pass the Hash attacks (Part 2)

  A couple weeks back, I wrote a piece on creating some rules to potentially detect pass the hash attacks in your environment. This is the second article in this series, and if time permits one of many more I hope to do over the next year or so on using SCOM to detect active…

0