Reliable Time Monitor False Positives for AD Domain Member Monitoring

I had a chance to work with a customer on importing the new AD MP for SCOM. I like this MP in particular, as it’s much less noisy than the old management pack for AD. That said, one thing I’ve seen in a few environments is a warning from the Reliable Time Server Monitor being…

0

Security Monitoring: Using SCOM to Detect Bypassed Authentication Package Back Door

One persistence method that an attacker can use is to modify an Operating System’s authentication packages in order to give the attacker a back door for entry into a system as desired. Auditing this behavior in SCOM turned out to be a bit trickier than I would have liked.  The key in question is HKLM\System\CurrentControlSet\Control\LSA\Authentication…

0

Security Monitoring: Detecting Wdigest Authentication

One of the noisier items in the Security Monitoring Management Pack is the monitor that triggers against all Windows 2008 R2 and below systems if the proper WDigest post patch configurations have not been applied. WDigest is another older protocol that was addressed with KB 2871997. Prior to 2008R2, Wdigest credentials remained in the LSA…

0

Security Monitoring: Using SCOM to Detect SMB1 Authentications

I think at this point, we are all aware of the dangers posed by continuing SMB1 authentication in an environment. The virus wannacry infected more than 400,000 machines and caused a number of outages across many organizations. Detecting SMB1 is unfortunately not quite as easy as some protocols. A colleague of mine, Leanne Livingstone, provided…

0

Security Monitoring: Using SCOM to detect NTLMv1 and LanManager Authentication Types

  One of the big changes in the next release of the Security Monitoring management pack will be reports designed to let administrators if they are using older protocols in their environments. It goes without saying that many older protocols are often full of vulnerabilities. As well, they tend to be on by default due…

0

A Deep Dive into Dynamic Group Calculation and How it Affects SCOM Performance

  I would first like to give a special thanks to John Mckeown and Nick Masiuk, both of whom provided major contributions to the work described below. For those that know SCOM, it isn’t necessarily the fastest application out there, particularly with console performance.  Troubleshooting that can be painful, though it can typically be traced…

3

Stupid Little Problem with SNMP Version Tags

I don’t normally get to work with SNMP, but I’ve been at a customer this week where we needed to configure SCOM to do SNMP monitoring.  This is fairly straight forward, and Kevin has written a nice article how to do that here.  I ran into an issue though with regards to removing the version…

0

SCOM Security Monitoring in Action: Detecting an Attacker

This is a fun little story today, but I got to see first hand how our security management pack works during a real, non-simulated attack.  I was pleasantly surprised by the results.  For the record I keep a couple of labs.  One is internal, blocked from the world, and I spend most of my time…

2

Using SCOM to Capture Registering Remotely Located DLL Files

  I’ve started browsing some sites that are cataloguing known attack vectors and came across this particular vulnerability that is worth discussing.  Many seasoned IT pros understand the use of RegSvr32 to register DLL files.  This executable is very integral to Windows as registers DLLs for OS and application use.  A little known flaw is…

2