Using SCOM to Detect Overpass the Hash Attacks

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. An overpass the hash attack is another flavor of a pass the hash type attack except that the attacker is passing a key instead of an…

1

Using SCOM to Detect WDigest Enumeration

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. In a recent conversation with fellow colleague Jessica Payne, it was noted that one of the most common forms of credential theft presently involves using exposed…

0

Using SCOM to Detect Pass the Ticket Attacks

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. Last month, I wrote a two part series on using SCOM to detect pass the hash attacks. I’ve decided to take some time and focus on…

2

SCOM 2012 and 2016 WebConsole and FIPS Compatibility

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. Update:  I had the opportunity to test this on SCOM 2016 and the same procedure works. Also, I’ve uploaded GAC util as well as the SCOM…

0

Alert Management Tuning: The SQL Management Packs

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. I recently had the privilege of participating in a discussion in regards to some of the alerts generated by the SQL management pack, In so doing,…

2

Using SCOM to Detect Failed Pass the Hash attacks (Part 2)

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. A couple weeks back, I wrote a piece on creating some rules to potentially detect pass the hash attacks in your environment. This is the second…

0

Monitors vs. Rules and how they Affect Alert Management

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. I’m going to do a back to the basics article here, and it’s not because things haven’t been written on the subject of monitors, rules, and…

2

Using SCOM to Detect Successful Pass the Hash attacks (Part 1)

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. Part 2 is here. Those that know me know I’ve been using my free time to mess around with the idea of being able to use…

2

Deploying and Troubleshooting SCOM on Unix/Linux machines

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. I’m not going to rehash all the how to articles written on deploying SCOM agents to cross platform machines, but I do think there would be…

5

The Stubborn Gray Agent

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. June 2018 Update to this piece posted here. That behavior would likely cause a gray agent as well. I first want to thank one of my…

0