Security Monitoring: Using SCOM to Detect SMB1 Authentications

I think at this point, we are all aware of the dangers posed by continuing SMB1 authentication in an environment. The virus wannacry infected more than 400,000 machines and caused a number of outages across many organizations.

Detecting SMB1 is unfortunately not quite as easy as some protocols. A colleague of mine, Leanne Livingstone, provided me with a simple PowerShell script that can be run to see active SMB connections on any server.

Get-SmbSession | Select Dialect,ClientComputerName,ClientUserName | ? Dialect -lt 2

We initially experimented with an alert generating rule for this; however, that generates a lot of noise. As such, this has been moved to a report.

Brad Watts created a simple collection rule using this script and the report. It will list both the user(s) and machine(s) doing SMB1 authentication so that administrators can determine which systems in their environment need to be adjusted.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s