In these environments, before creating discoveries, associate a logon account to the account that will be used to run discoveries on remote Unix machines. For more information about creating and associating logon accounts, see Create linked accounts. To run a scan, you must have the required permissions. For details, see Permissions required for running a scan. On the New Windows Accounts Discovery page, enter the following information:. Select the account to run the scan typically, this is a domain administrator account.
Select one of the following options:. Click Click to select an account from the Vault. Note : make sure that the CPM selected for the scan has access to the Safe to which the account belongs. You can enter only one OU. The Privilege Cloud portal connects to the Active Directory using the user credentials you specified.
The initial state of the scan is Pending. Click the Refresh button to update the state. Recurrent discoveries are added to the list of pending discoveries and will be performed on the date and time.
In Which user will scan the machines , enter the user name of the user running the scan. The CPM will scan only machines that it can physically access. In What recurring pattern to set for this Discovery , select whether you want this scan to be recurring or one time, and set the date and time.
After you perform a discovery scan, Analyze pending accounts. Account dependencies can be discovered for accounts in the pending list or for accounts that exist in Privilege Cloud. You can discover account dependencies by running the discovery process or by using the Add discovered accounts API. Newly discovered dependencies for pending accounts are reflected in the pending list by updating the counter of the account dependencies.
Newly discovered dependencies for accounts that already exist in Privilege Cloud could potentially be non-legitimate or malicious. Therefore, we recommend that you review and approve each newly discovered dependency, to prevent such dependencies from being automatically managed by the system. When new dependencies associated with an existing domain account are discovered, they are automatically onboarded, and the account is disabled for automatic CPM management.
The grid displays pending accounts discovered by scans and external scanners using the AddPendingAccounts Web Service. You can onboard accounts and SSH keys that are displayed in the Pending Accounts page so that you can manage them automatically. If an account contains dependencies, the dependencies are automatically onboarded with the account. A newly discovered dependency could potentially be non-legitimate or malicious.
Therefore it is recommended to review and approve each newly discovered dependency to prevent such dependencies from being onboarded automatically by the system. When a discovery finds new dependencies associated with a domain account that was previously onboarded or already exists in the system, by default, the dependencies will automatically be onboarded and the account will be disabled for automatic CPM management.
When onboarding multiple accounts that share the same SSH key, the private SSH key will only be associated with one account. After onboarding, associate all these accounts with the same group so that they can all use the same SSH key. In Store in Safe , select a safe or create a new one. To create a safe, see Add a new Safe. This sets the passwords for the accounts in Privilege Cloud , it does not reset actual passwords on target systems.
For more information about synchronizing passwords, see Reconcile passwords. Domain Administrator an equivalent domain user with the following permissions:.
For more information, contact your CyberArk representative. A list of pending accounts is created, which includes accounts that were already discovered. As the discovery is not completed, some account dependencies may not be included. A discovery log is written that contains details about the user who stopped it and the time when it was stopped. This discovery log can be accessed by a link in the Discovery Preview pane.
In the Discovery Management page, select the discovery you want to stop, and then click Stop. In the message that appears, click Stop Discovery , and then click OK to confirm your action. When you delete a recurring discovery, the selected discovery is deleted together with all its details and details of the previous times it ran. The discovery was completed but errors occurred. You can view the errors that occurred during this discovery in the specific discovery log.
If you have questions or require assistance with an article, please create a case. Log in to post to this feed. This content is only visible in Builder, but necessary to trigger the 'Ask a Question' modal. Discovery: How to discover Windows Domain Controller machines? Information Article Number. Old Article Number. Article Record Type. BMC Discovery. Question Question answered by this article, in the form of a question. Just make sure you get that authorization though.
If you use DBCreator. This is due to a syntax deprecation in a connector. The first time you run this command, you will need to enter your Neo4j credentials that you chose during its installation. If you collected your data using SharpHound or another tool, drag-and-drop the resulting Zip file onto the BloodHound interface. Import may take a while. On the right, we have a bar with a number of buttons for refreshing the interface, exporting and importing data, change settings etc.
Click on the Settings button the 3 gears button, second to last on the right bar and activate the Query Debug Mode. This will help you later on by displaying the queries for the internal analysis commands in the Raw Query field on the bottom. The fun begins on the top left toolbar. To the left of it, we find the Back button, which also is self-explanatory. The third button from the right is the Pathfinding button highway icon.
A second textbox will open, allowing us to enter a source the top textbox and a destination the newly opened bottom one , and find a path between these two nodes. Clicking it, a context menu with 3 tabs opens: Database Info, displaying statistics about the database and some DB management options at the bottom , Node Info displaying information on the currently selected node, and the Analysis button leading to built-in queries.
The Node Info field see screenshot below shows you information on the selected node, as well as relationships this node has with other nodes, such as group memberships or sessions on computers. Clicking one of the options under Group Membership will display those memberships in the graph. The Analysis tab holds a lot of pre-built queries that you may find handy. This can generate a lot of data, and it should be read as a source-to-destination map. If you can obtain any of the necessary rights on a source node such as the YMAHDI user in the example above , you can walk the path towards Domain Admin status given that the steps along the way indeed fulfil their promise — more on that later.
As we can see in the screenshot below, our demo dataset contains quite a lot. Interestingly, on the right hand side, we see there are some Domain Admins that are Kerberoastable themselves, leading to direct DA status. These rights would allow wide access to these systems to any Domain User, which is likely the status that your freshly phished foothold machine user has.
These sessions are not eternal, as users may log off again. By the time you try exploiting this path, the session may be long gone. What can we do about that? Well, there are a couple of options. Firstly, you could run a new SharpHound collection with the following command:. This will collect the session data from all computers for a period of 2 hours. A number of collection rounds will take place, and the results will be Zipped together a Zip full of Zips.
This gives you an update on the session data, and may help abuse sessions on our way to DA. Another way of circumventing this issue is not relying on sessions for your path to DA. However, filtering out sessions means leaving a lot of potential paths to DA on the table. It is best not to exclude them unless there are good reasons to do so.
Sessions can be a true treasure trove in lateral movement and privilege escalation. In the last example, a GenericWrite on a high-privileged group allows you to add users to it, but this may well trigger some alerts.
As always in Red Teaming, it is important to be aware of the potential footprint of your actions and weigh them against the benefit you stand to gain. The BloodHound interface is fantastic at displaying data and providing with pre-built queries that you will need often on your path to conquering a Windows Domain. Or you want to run a query that would take a long time to visualize for example with a lot of nodes.
Or you want a list of object names in columns, rather than a graph or exported JSON. Whatever the reason, you may feel the need at some point to start getting command-line-y. This is where your direct access to Neo4j comes in.
Remember how we set our Neo4j password through the web interface at localhost? That interface also allows us to run queries. That is because we set the Query Debug Mode see earlier. We can simply copy that query to the Neo4j web interface. In the screenshot above, we see that the entire User object n is being returned, showing a lot of information that we may not need.
Now, the real fun begins, as we will venture a bit further from the default queries. We can use the second query of the Computers section. Mind you this is based on their name, not what KBs are installed, that kind of information is not stored in AD objects. It is well possible that systems are still in the AD catalog, but have been retired long time ago.
0コメント