Using SCOM to Detect Overpass the Hash Attacks

An overpass the hash attack is another flavor of a pass the hash type attack except that the attacker is passing a key instead of an NTLM hash.  As such, it is technically a kerberos based attack.  This type of attack is useful once an environment is already compromised as the key needed for the…

0

Using SCOM to Detect WDigest Enumeration

In a recent conversation with fellow colleague Jessica Payne, it was noted that one of the most common forms of credential theft presently involves using exposed Wdigest credentials.  Wdigest, while not commonly used today, is still enabled by default in large part because of legacy applications that use it. While this was fine back in…

0

Using SCOM to Detect Pass the Ticket Attacks

  Last month, I wrote a two part series on using SCOM to detect pass the hash attacks. I’ve decided to take some time and focus on pass the ticket attacks. There isn’t a whole lot different between the two attack methods.  Both require administrative rights on the machine (and let’s face it, that is…

2

SCOM 2012 and 2016 WebConsole and FIPS Compatibility

Update:  I had the opportunity to test this on SCOM 2016 and the same procedure works. Also, I’ve uploaded GAC util as well as the SCOM DLL here as they are not on the SCOM 2016 DVD either.  You can find them here. Previous Article: _________ As a quick overview, FIPS stands for Federal Information…

0

Alert Management Tuning: The SQL Management Packs

I recently had the privilege of participating in a discussion in regards to some of the alerts generated by the SQL management pack, In so doing, that gave me an idea for a set of articles in regards to tuning specific management packs.  I don’t plan on covering each and every MP that has been…

0

Using SCOM to Detect Failed Pass the Hash attacks (Part 2)

  A couple weeks back, I wrote a piece on creating some rules to potentially detect pass the hash attacks in your environment. This is the second article in this series, and if time permits one of many more I hope to do over the next year or so on using SCOM to detect active…

0

Monitors vs. Rules and how they Affect Alert Management

  I’m going to do a back to the basics article here, and it’s not because things haven’t been written on the subject of monitors, rules, and SCOM, but because I don’t think they have been flushed out well, and to non-seasoned SCOM engineers, they are not exactly intuitive. As such, I wanted to walk…

0

Using SCOM to Detect Successful Pass the Hash attacks (Part 1)

Part 2 is here. Those that know me know I’ve been using my free time to mess around with the idea of being able to use SCOM to help in identifying when an advanced persistent threat is active in your environment.  This is a problem that most IT organizations have given that the average attacker…

2

Deploying and Troubleshooting SCOM on Unix/Linux machines

I’m not going to rehash all the how to articles written on deploying SCOM agents to cross platform machines, but I do think there would be some benefit on having a consolidated location to provide information as to the tips and tricks as well as issues that pop up on way. To be clear, I’m…

5

The Stubborn Gray Agent

  I first want to thank one of my customers for providing the screenshots to this particular issue.  I’ve run into this particular issue a couple of times, but never had screenshots that I could use to demonstrate the behavior.  That said, gray agents are generally fairly easy to trouble shoot.  They have a wide…

0