Security Monitoring: Using SCOM to detect NTLMv1 and LanManager Authentication Types

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. One of the big changes in the next release of the Security Monitoring management pack will be reports designed to let administrators if they are using…

2

Security Monitoring: A Possible New Way to Detect Privilege Escalation

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. The problem that most defense mechanisms have in detecting the adversary is that they tend to be focused on detecting the tools far more so than…

0

Security Monitoring: Using SCOM to Detect Bypassed Authentication Package Back Door

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. One persistence method that an attacker can use is to modify an Operating System’s authentication packages in order to give the attacker a back door for…

5

Security Monitoring: Detecting Wdigest Authentication

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. One of the noisier items in the Security Monitoring Management Pack is the monitor that triggers against all Windows 2008 R2 and below systems if the…

0

Security Monitoring: Using SCOM to Detect SMB1 Authentications

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. I think at this point, we are all aware of the dangers posed by continuing SMB1 authentication in an environment. The virus wannacry infected more than…

0

Security Monitoring: Using SCOM to detect NTLMv1 and LanManager Authentication Types

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. One of the big changes in the next release of the Security Monitoring management pack will be reports designed to let administrators if they are using…

0

Post Configuration Tasks for the Security Monitoring Management Pack

Disclaimer: Due to changes in the MSFT corporate blogging policy, I’m moving all of my content to the following location. Please reference all future content from that location. Thanks. As I have mentioned in the initial posts, using the security monitoring management pack is going to require certain practices in procedures be in place.  Simply…

0