Security Monitoring: Using SCOM to Detect SMB1 Authentications

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks.

I think at this point, we are all aware of the dangers posed by continuing SMB1 authentication in an environment. The virus wannacry infected more than 400,000 machines and caused a number of outages across many organizations.

Detecting SMB1 is unfortunately not quite as easy as some protocols. A colleague of mine, Leanne Livingstone, provided me with a simple PowerShell script that can be run to see active SMB connections on any server.

Get-SmbSession | Select Dialect,ClientComputerName,ClientUserName | ? Dialect -lt 2

We initially experimented with an alert generating rule for this; however, that generates a lot of noise. As such, this has been moved to a report.

Brad Watts created a simple collection rule using this script and the report. It will list both the user(s) and machine(s) doing SMB1 authentication so that administrators can determine which systems in their environment need to be adjusted.