SCOM Security Monitoring in Action: Detecting an Attacker

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. This is a fun little story today, but I got to see first hand how our security management pack works during a real, non-simulated attack.  I…

3

Introducing the Security Monitoring Management Pack for SCOM (updated May 2018)

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. For those of you who haven’t met me or visited my blog, I’ve worked in SCOM now for the better part of 5 years.  I’ve also…

3

Using SCOM to Detect Scheduled Task Creation

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. One well known thing that attackers like to do is to create scheduled tasks to periodically execute their payloads.  Detecting Scheduled task creation is not terribly…

2

Future Plans/Requests for Security Monitoring MP

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. I wanted to take a few minutes and discuss current plans for upcoming changes in the security MP. I’d also like to use this space as…

2

Security Monitoring–Using SCOM to Detect Executables Run in Writeable OS Directories Part 1

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. I had the privilege of attending Microsoft Ready this last July. That allowed for some very useful networking. In this case, I got to speak a…

2

Securing SCOM in a Privilege Tiered Access Model–Part 3

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. You can find Part 1 here. You can find Part 2 here. In summary, we went over various security concerns deploying SCOM. Although there are a…

2

Potential Areas for Noise in the Security Monitoring Management Pack

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. I stated that a main purpose of this management pack is to keep noise volume to a minimum.  As such, the bulk of the rules in…

2

Using SCOM to Capture Registering Remotely Located DLL Files

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. I’ve started browsing some sites that are cataloguing known attack vectors and came across this particular vulnerability that is worth discussing.  Many seasoned IT pros understand…

2

Security Monitoring: Using SCOM to detect NTLMv1 and LanManager Authentication Types

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. One of the big changes in the next release of the Security Monitoring management pack will be reports designed to let administrators if they are using…

2