Top Ad unit 728 × 90

Latest News

random

Daily Blog #361: SCCM and IR

Hello Reader,
           You may not often combine the ideas of SCCM (System Center Configuration Manager) and Incident Response together, but you should. I wanted to pass a long something that I've used as a recurring script to track users to computers and in IR situations to find possible compromised system if the attacker is doing interactive logins.

Step 1. Ask the SCCM admin for read only access to the back end SCCM database. This is important, the SCCM MS SQL database and not the SCCM front end.

Step 2 .Get a MS SQL client, I like navicat for SQL Server, http://www.navicat.com/products/navicat-for-sqlserver, which has a free trial

Step 3. Access the database and find the computer table, I've seen it named 'v_GS_COMPUTER_SYSTEM' and 'COMPUTER_SYSTEM_HIST'. Look for something similar .

Step 4. Run the following query:

select Name0 from (COMPUTER_SYSTEM_TABLE_YOU_FOUND) where UserName0=

What will come back is a list of all the systems that recorded that the compromised account was the last account to have logged in. This will obviously get changed quickly once the next user logs in back can bring back a lot of intelligence to you as to where an active attacker has been hitting.

Daily Blog #361: SCCM and IR Reviewed by David Cowen on June 19, 2014 Rating: 5

No comments:

All Rights Reserved by Hacking Exposed Computer Forensics Blog © 2014 - 2020
Powered By Blogger, Designed by Sweetheme

Contact Form

Name

Email *

Message *

Powered by Blogger.