Using SCOM to Capture Suspicious Process Creation Events

I recently had the privilege of chatting with Greg Cottingham on the Azure Security Center Analyst Team about process creation events and how to use them to detect anomalous events that need to be investigated.  It was a very interesting discussion and I was given a few real world examples of how the bad guys…

0

Windows Event Collector Discovery Management Pack

This is a management pack I wrote for the SCOM security MP.  If you have Windows Event Collector’s setup in your network, this will discover them and populate a class for you to monitor them.  It is worth noting that it discovers the running service.  That service is disabled by default, so I’m assuming if…

0

Breaking apart the GPO Modification Process and Using SCOM to Detect GPO Changes – Part 1

  A while back a colleague of mine introduce me to some work done by two other colleagues which involved using SCOM to alert against changes made to GPOs.  First, Jan Varšavský wrote the framework for SCOM 2007 which was later updated by Nathan Olmstead.  Andres Naranjo took this a step further writing a composite…

0

Using SCOM to Detect Scheduled Task Creation

  One well known thing that attackers like to do is to create scheduled tasks to periodically execute their payloads.  Detecting Scheduled task creation is not terribly difficult.  While it does not use the standard logs, there is an operational task scheduler log available that generates an event ID 106 whenever a scheduled task is…

0

Using SCOM to Detect Service Creation

For those that cover security, this piece of information is not all that new, but for those that happen to be SCOM administrators and not necessarily security people by trade, this might be useful. Detecting service creation is the easy part. When a service is created on a system, event ID 7045 is generated in…

0

Using SCOM to Detect Golden Tickets

For the three people that religiously read my blog, you know by now that I’ve been writing quite a bit on using SCOM to detect some of the anomalous events that are specific to an intruder in your environment.  This is the first, of what will hopefully be a few rules needed to detect the…

0

Using SCOM to Capture Events from the Forwarded Events Log

So I ran into an interesting problem the other day.  The premise was pretty simple. I have security events that are being forwarded from workstations via Windows Event Subscriptions.  The idea behind it is to avoid putting a SCOM agent on potentially thousands of workstations, but to instead look for key security events that will…

0