Security Monitoring: A Possible New Way to Detect Privilege Escalation

The problem that most defense mechanisms have in detecting the adversary is that they tend to be focused on detecting the tools far more so than detecting the results. There are reasons for this, the most obvious being that it is very easy for there to be false positives within the results, and as such,…

0

Security Monitoring: Using SCOM to Collect LAPS Events

This is a short post for documentation only, but LAPS can be configured to put audit events in the Windows Security Log. These are event ID 4662 with an Event Source of AdmPwd. I’ve set a collection rule for both Windows Event Collectors as well as Windows Servers to collect these events. There is currently…

0