A Deep Dive into Dynamic Group Calculation and How it Affects SCOM Performance

  I would first like to give a special thanks to John Mckeown and Nick Masiuk, both of whom provided major contributions to the work described below. For those that know SCOM, it isn’t necessarily the fastest application out there, particularly with console performance.  Troubleshooting that can be painful, though it can typically be traced…

3

Stupid Little Problem with SNMP Version Tags

I don’t normally get to work with SNMP, but I’ve been at a customer this week where we needed to configure SCOM to do SNMP monitoring.  This is fairly straight forward, and Kevin has written a nice article how to do that here.  I ran into an issue though with regards to removing the version…

0

SCOM Security Monitoring in Action: Detecting an Attacker

This is a fun little story today, but I got to see first hand how our security management pack works during a real, non-simulated attack.  I was pleasantly surprised by the results.  For the record I keep a couple of labs.  One is internal, blocked from the world, and I spend most of my time…

2

Using SCOM to Capture Registering Remotely Located DLL Files

  I’ve started browsing some sites that are cataloguing known attack vectors and came across this particular vulnerability that is worth discussing.  Many seasoned IT pros understand the use of RegSvr32 to register DLL files.  This executable is very integral to Windows as registers DLLs for OS and application use.  A little known flaw is…

2

Security Monitoring MP: Powershell Exploit Toolkit Rules

  In this post we will discuss using SCOM to detect various PowerShell Exploits that are commercially available for download and use.  I’d note that there are limits to this type of detection activity. First, it is worth noting that good attackers don’t use commercially off the shelf attack tools but instead recompile them to…

0

Security Monitoring MP AppLocker Rules

  I’ll be honest in that these are included because they are easy to do, but in reality, they do not provide much in terms of protection. Traditional anti-virus works to detect many of these tools, and while an attacker can corrupt AV pretty easily, it’s also just as easy to recompile these tools so…

0

Security Monitoring Management Pack Summary

I’m rewriting the main page for the Security Monitoring MP to be a bit less cluttered.  I will be using this space to document this management pack with a simple link off from there.  I’ll also use this space to document the change log.  As a reminder, this is more than just an import and…

0

Post Configuration Tasks for the Security Monitoring Management Pack

  As I have mentioned in the initial posts, using the security monitoring management pack is going to require certain practices in procedures be in place.  Simply importing the management pack will not give you a picture of everything that it is designed to monitor.  Ultimately, this management pack serves two purposes.  The first is…

0

Potential Areas for Noise in the Security Monitoring Management Pack

I stated that a main purpose of this management pack is to keep noise volume to a minimum.  As such, the bulk of the rules in place that will catch normal business activity are disabled.  That said, testing has revealed some alerts that will generate in certain circumstances.  For various reasons, it was decided to…

0