Post Configuration Tasks for the Security Monitoring Management Pack

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. As I have mentioned in the initial posts, using the security monitoring management pack is going to require certain practices in procedures be in place.  Simply…

0

Using SCOM to Capture Suspicious Process Creation Events

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. I recently had the privilege of chatting with Greg Cottingham on the Azure Security Center Analyst Team about process creation events and how to use them…

0

Using SCOM to Detect Scheduled Task Creation

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. One well known thing that attackers like to do is to create scheduled tasks to periodically execute their payloads.  Detecting Scheduled task creation is not terribly…

2

Using SCOM to Detect Golden Tickets

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. For the three people that religiously read my blog, you know by now that I’ve been writing quite a bit on using SCOM to detect some…

0

Using SCOM to Detect WDigest Enumeration

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. In a recent conversation with fellow colleague Jessica Payne, it was noted that one of the most common forms of credential theft presently involves using exposed…

0

Using SCOM to Detect Pass the Ticket Attacks

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. Last month, I wrote a two part series on using SCOM to detect pass the hash attacks. I’ve decided to take some time and focus on…

2

Alert Management Tuning: The SQL Management Packs

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. I recently had the privilege of participating in a discussion in regards to some of the alerts generated by the SQL management pack, In so doing,…

2

Monitors vs. Rules and how they Affect Alert Management

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. I’m going to do a back to the basics article here, and it’s not because things haven’t been written on the subject of monitors, rules, and…

2