Security Monitoring–Additional PowerShell Detections Addendum

This is a follow up article to this piece that I wrote in early September. Not surprisingly, there was some noise in my initial lab tests. Two rules in particular were noisy, and the chief culprit happened to be SCOM. The rule governing PowerShell running in memory only  as well as the rule to bypass…

0

Security Monitoring–Using SCOM to Detect Legacy TLS Protocol Usage

This has been on my bucket list for a while now, and I finally got around to figuring it out. TLS is a transport layer protocol that is effectively a part of SSL. Basically, it’s used to encrypt web based traffic so that prying eyes cannot see. Like every protocol, over time its weaknesses are…

0

Security Monitoring–Additional PowerShell Detections

Note that there is an addendum to this piece for override purposes. That can be found here. A colleague of mine turned me on to this particular article on ways to use PowerShell to bypass execution policies. It’s worth noting that PowerShell is a powerful tool that was designed to give a lot of flexibility…

2

Security Monitoring–Configuring SCOM to alert on attempts to kill Windows Defender

This is just a quick update to the next revision of Security Monitoring. If you don’t use Windows Defender, this will not generate any alerts, and in general it should be quiet even if you do use Window Defender.  This will only work if you have the audit process creation GPO set. I’d also note,…

0

Security Monitoring–Using SCOM to Detect Executables Run in Writeable OS Directories Part 1

I had the privilege of attending Microsoft Ready this last July. That allowed for some very useful networking. In this case, I got to speak a bit with some security professionals who do forensic investigations after a compromise. One common attack vector is something seen once the attacker has gained access to a machine. They…

2

Security Monitoring–Updating Service Created on DC Rule

One piece of feedback that I’ve seen in regards to security monitoring is noise due to services created on a domain controller. In general, this should not be a common event, but occasionally legitimate applications do create services on a domain controller. As such, I’ve done a minor rewrite of this rule to allow for…

0

Security Monitoring–Updating Scheduled Task Creation Rule

One piece of feedback I’ve gotten is that monitoring the creation of scheduled tasks as well as service creation on domain controllers can get a bit noisy due to typical business activities. While these particular activities don’t happen terribly often, it’s possible to have applications that create scheduled tasks or services as needed. As such,…

0

Securing SCOM in a Privilege Tiered Access Model–Part 3

You can find Part 1 here. You can find Part 2 here. In summary, we went over various security concerns deploying SCOM. Although there are a bunch listed, there are two that I believe could take down an organization in a hurry: poor run as account distribution or a SCOM admin’s account being compromised. The…

2

Securing SCOM in a Privilege Tiered Access Model–Part 2

Previously, I discussed basic security posture and what is needed to secure a SCOM installation. The post can be found here. In summary, we discussed risks associated with malicious management packs and the use of a service account for agent action instead of the local system. This discussion will focus a bit deeper on account…

0