Thursday, June 19, 2014

Daily Blog #361: SCCM and IR

Hello Reader,
           You may not often combine the ideas of SCCM (System Center Configuration Manager) and Incident Response together, but you should. I wanted to pass a long something that I've used as a recurring script to track users to computers and in IR situations to find possible compromised system if the attacker is doing interactive logins.

Step 1. Ask the SCCM admin for read only access to the back end SCCM database. This is important, the SCCM MS SQL database and not the SCCM front end.

Step 2 .Get a MS SQL client, I like navicat for SQL Server, http://www.navicat.com/products/navicat-for-sqlserver, which has a free trial

Step 3. Access the database and find the computer table, I've seen it named 'v_GS_COMPUTER_SYSTEM' and 'COMPUTER_SYSTEM_HIST'. Look for something similar .

Step 4. Run the following query:

select Name0 from (COMPUTER_SYSTEM_TABLE_YOU_FOUND) where UserName0=

What will come back is a list of all the systems that recorded that the compromised account was the last account to have logged in. This will obviously get changed quickly once the next user logs in back can bring back a lot of intelligence to you as to where an active attacker has been hitting.