版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
EPMFundamentals
CredentialTheftProtection
andEventMonitoringCyberArkUniversity2017PrivilegedManagementImplementationWorkflowServerInstallationAgentDeploymentSilentApplicationDiscoveryPolicyCreationExceptionManagementMonitoringReportingAUDITINGPOLICIESDISCOVERYDEPLOYMENTINSTALLATIONObjectivesThissessionwillexplainthefollowingconceptsandfunctionality:ThreatDetectionTriggeringThreatDetectionAlertsfordemosandPOCsPrivilegeThreatAnalytics(PTA)andSIEMIntegrationReportsandDashboardsNotethattheThreatDetectionfunctionalityisnotavailableintheGPOeditionofEPM.DetectandBlockSuspectedCredentialTheftAttemptsbyMaliciousUsersandApplicationsWhatriskdocompromisedcredentialsrepresent?GivedirectaccesstoaccountsonvariousplatformsUserspecifiessamepasswordforseveralaccountsondifferentplatformsThreatDetectionmonitorsfordifferentattackvectorsNoadditionalendpointrequirementotherthanEPMagentFunctionalityintendedtobecontinuouslyupdatedHowDoesitWork?CyberArkLabinvestigates
variousattackvectorsAttackindicationareextracted(e.g.unexpectedaccesstoLSASSmemory)EPMinternalpolicyisupdated
byR&DwiththeindicatorsEPMdevicedrivernowhookstheseaccessestoLSASSAccessisblockedAccessisdetectedAlertissenttoEPMconsoleBLOCKINGMODEDETECTIONMODE6.0DetectionandBlockingCapabilitiesLSASSCredentialsHarvestingSAMHashHarvestingFirefoxCredentialsTheftChromeCredentialsTheftWinSCPCredentialsTheftVNCCredentialsTheft6.1DetectionandBlockingCapabilitiesServiceAccountCredentialsTheftDomainCredentialsCacheHarvestingCheckPointEndpointSecurityVPNCredentialsTheftmRemoteNGCredentialsTheftSuspectedRegistryDumpSuspectedPathRename6.1DetectionandBlockingCapabilitiesSuspiciousRequesttoBootinSafeModeSuspiciousRequesttoBootinTestSigningModeSuspiciousRequesttoBootinDebugMode6.2DetectionandBlockingCapabilitiesToadForOracleDatabaseClientCredentialsTheftSQLServerManagementStudioCredentialsTheftFileZillaCredentialsTheftDashLaneCredentialsTheftTeamViewerCredentialsTheftRemoteDesktopConnectionMgr.CredentialsTheftLogMeInProCredentialsTheftThreatDetectionUIClickingonThreatDetection
showsallpoliciesShowswhetherstatusisactiveornotforeachpolicyAlsoshowsifpolicyissettodetectorblockattackActivatingTheftDetectionPoliciesClickonOptionsthenActivateallToactivatesinglepolicies,selectdesiredpolicythen:RightclickonpolicyandclickActivateindrop-downClickonOptionsthenActivateEditingaThreatDetectionPolicyActivatingapolicysetsactiontoDetectbydefaultToblockandchangeadvancedpolicysettings,right-clickonpolicyandclickEditEditingaThreatDetectionPolicy(Action)ActivatingapolicysetsactiontoDetectbydefaultDetect:Credentialtheftattemptsarenotblocked,butgeneratealertsBlock:BlockfutureattemptsofcredentialtheftEditingaThreatDetectionPolicy(ApplyPolicytoselectedComputersinSet,ADComputerGroups)ThreatDetectionPoliciescanberestrictedto:SpecificComputersEPMComputerGroupsADComputerGroups
EditingaThreatDetectionPolicy(ExcludedApps)Ifnecessary,excludespecificapplicationsfromPolicyClickonEdittoaddexclusionsExclusioncanbeappliedtofilename,pathWildcardscanbeusedforfilenameorpathEditingaThreatDetectionPolicy(End-UserUI)SetwhetheruserwillbealertedwhenpolicyistriggeredDefaultisShowNothingOtherwise,selectwhichmessagewillbedisplayedtoend-userviasystemtraybubble.ThreatDetectionDefinitionsFileDefinitionsarestoredinPASPD.DLL
CyberArkwillreleasenewversionsoftheDLLwithenhancedprotectionagainstnewattackvectors
UpgradedfilescanbeuploadedbyaccountadministratorsUpdatingThreatDetectionDefinitionsFileLoginasanaccountadministratorBrowsetoConfiguration=>ThreatDetectionClickonUpgradeBrowsetoandselectupdatedfile,thenclickonOKTriggeringThreatDetectionAlerts
forDemosandPOCsGeneratingEventsManuallyorwithThird-partyToolsItpossibletogenerateThreatDetectionalertsmanuallyusingvariousprogrammingorscriptingtechniques,commandlinetoolsandscript-kiddyattackGUIs.Unfortunatelyduetolegalrestrictions,wecan’tteachyouthesetechniquesortoolsthatleveragethemIfrequired,suspendpoliciesondemomachineusingsystemtrayicon(informationinTroubleshootingsection)DNADiscoveryandAudit
CyberArktoolforevaluatingprivilegedaccountusageandvulnerabilitiesincustomerenvironment
Discoversuserswhostillhaveadminrights.Organizationmayhavestandarduserpolicyinplace,butsome“privilege”groupsstillhaveadminrights
UsestechniqueswhichtriggerThreatDetectionalertsLSASSaccessPass-the-hashIntroducingViper
MostImportant!
Thetoolshouldbeusedonlyandexclusivelyforitsdesignatedpurpose.Thescopeofthescanshouldbelimitedtotheminimumrequired.ThetoolshouldbeusedonlybyCyberArktrainedteams.Thetoolshouldbeusedonlyduringsales/demonstrationmeetingsbetweenCyberArktrainedpersonnelandthecustomer.Oncethemeetingisoverthetoolshouldbefullyclosed/shutdown,withoutallowingthecustomerstomakeanyfurtheruseofthetool.Thecustomersshouldbeadvisednottocopy/forwardthetool.Anyreportthatthetoolproducesshouldbeconsideredasconfidentialinformationofthecustomer,andthecustomershouldbeadvisedaccordingly.SimpleUIwhichrunsdifferentactionsthattriggerThreatDetectionalertsAninternaltoolthatshouldberunonlybyCyberArktrainedteamsfordemopurposesUsingViperinCourseLabEnvironmentOnlysuppliedforuseintrainingenvironment
Donotcopytool
Requestcopyfromaccountmanager,ifrequiredAlwaysrunasadministratorMicrosoftDefenderneedstobedisabled,isalreadydisabledinourenvironmentViper–SelectingAttacksChoosecredentialattacksBrowserLocalWindowsSecurityMimikatzADandKerberosClickLaunchtorunselectedattacksViper–HarvestingCredentialsReviewresultsDigit: Numberofaccountsharvestedusingattack
E: Error
-(dash): ToolwaslaunchedbutthisattackdoesnottrytoretrievecredentialsitselfViper–HarvestingCredentialsExecutionreportshowsconsoleoutputfromrespectivetoolsShowsinformationaboutretrievedcredentialsWhenrunningoncustomersystems,donotremovefromsitewithoutauthorisationfromclientReviewActivityinEPMConsoleAggregatedEventspagelistsapplicationsthattriggeredThreatDetectionevents.ApplicationControlPoliciescanbecreatedtoblockmalwarePoliciescanalsobecreatedtoallowparticularappsthatrequireaccesstocredentialsChangeThreatDetectionPoliciestoBlockIntheThreatDetectionwindow,editthepoliciesChangeeachpolicytoBlockMakesurethatthepoliciesareupdatedandresumedontargetRe-runViperWithBlockingOnCloseandrestartVip3rexecutableRe-runtestsNoteallMimikatztestsnowfailtoretrievecredsAlthoughLsass.exeandSAMfilecopyshowsuccess,reviewingexecutionreportshowsnocredentialswereretrieved.AggregatedEventsviewnowshowseventsasblockedPrivilegeThreatAnalytics(PTA)
andSIEMIntegrationPTAIntegrationtoShowCredentialsTheftIncidents*ThreatDetectioneventsinEPMcantriggeralertsinPTA(PrivilegedThreatAnalytics)AlertsaredisplayedinthePTAconsoleSOC(SecurityOpsCentre)staffcandrilldownintoeventtoseemoreinformation*PTAintegrationnotavailableforSaaSinstallationsRetrievingConnectionCredentialsfromPTATheconnectionbetweenEPMandPTAneedstobeauthenticatedRequiredcredentialsarestoredinfilecalledprepwiz.logonPTAserverForPTA3.3,fileislocatedin/opt/apache-tomcat-7.0.40/prepwiz/logsSearchforEPPcredentials,noteUsernameandPasswordConfiguringPTAintegrationIntheConfiguration=>ThreatDetectionsection,clickonPTAConfiguration
EntertheUsernameandPasswordretrievedfromprepwiz.log
ClickonSaveConfiguringEventListenersAllowsconfigurationofexternallistenerssuchasSIEM
InServerConfiguration=>EventListenerssection,clickonNonenexttoThird-PartyListenersConfiguringEventListenersOntheChangeConfigurationParameterValuescreen,clickonOffnexttothelistener
SelectOnfromthedropdownSettheconfigurationasrequiredClickOKthenSaveSupportedEventListenersLogstash-Systemforlogcollection,processing,storageandsearchingactivities.TextFile–XMLfilecreatedontheEPMServerSysLog-Astandardformessageloggingthatpermitsseparationofthesoftwarethatgeneratesmessages,thesystemthatstoresthem,andthesoftwarethatreportsandanalyzesthem.Splunk-Captures,indexesandcorrelate
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 食品安全追溯消费者信任反馈建立
- 专业基础-房地产经纪人《专业基础》真题汇编3
- 农场半年度工作汇报
- 统编版五年级语文上册寒假作业(十三)有答案
- 二零二五版共有产权房转让协议书3篇
- 二零二五年智能大棚土地承包合作协议范本3篇
- 宿州航空职业学院《英语专业前沿课程》2023-2024学年第一学期期末试卷
- 二零二五版公共安全防范承包合同3篇
- 二零二五年食品包装设计及委托加工合同
- 苏教版初一英语试卷单选题100道及答案
- 春季餐饮营销策划
- 企业会计机构的职责(2篇)
- 《疥疮的防治及治疗》课件
- Unit4 What can you do Part B read and write (说课稿)-2024-2025学年人教PEP版英语五年级上册
- 2025年MEMS传感器行业深度分析报告
- 《线控底盘技术》2024年课程标准(含课程思政设计)
- 学校对口帮扶计划
- 仓库仓储安全管理培训课件模板
- 风力发电场运行维护手册
- 河道旅游开发合同
- 情人合同范例
评论
0/150
提交评论