Professional Documents
Culture Documents
CyberArk University
Exercise Guide
CONTENTS
INTRODUCTION ..................................................................................................................................................... 6
USING SKYTAP...............................................................................................................................................................6
INTERNATIONAL USERS ...................................................................................................................................................8
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Threat Analytics – Install & Configure
INTEGRATIONS .................................................................................................................................................... 34
OVERPASS-THE-HASH ...................................................................................................................................................69
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Threat Analytics – Install & Configure
TROUBLESHOOTING............................................................................................................................................. 86
SHORTCUTS.SH ..........................................................................................................................................................101
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Threat Analytics – Install & Configure
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
Introduction
Using Skytap
Before beginning exercises, here are a few tips to help you navigate the lab more
effectively.
1. Click the large monitor icon to connect with the HTML5 client
2. Use the Ctrl-Alt-Del button on the tool bar to send a Ctrl-Alt-Del to the machine
3. The clipboard icon will allow you to copy and paste text between your computer and
your lab machine. Do NOT copy parameters or settings from a PDF file into the
environment. It does not work.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
4. The full screen icon will resize your lab machine to match your computer’s screen
settings to avoid scrolling
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
International Users
By default, the lab machines are configured to us a US English keyboard layout. If you
use a machine from a country other than the US, you may experience odd behavior from
your lab machines. The solution is to install the keyboard layout for your keyboard on our
lab machines. Follow the process below to find and configure the correct keyboard layout
for your keyboard.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
5. If you use an alternate keyboard layout (e.g. AZERTY, Dvorak) you can click options
next to your language to install, if not, close the Language window
6. In the system tray, click ENG, then choose your keyboard layout
7. You may switch back and forth between keyboard layouts (Your instructor may need
to switch back to ENG to help you with exercises, occasionally)
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
We will be performing our work as the Active Directory user Mike (password Cyberark1).
We will log into the machine Components with this account and also use it to log into the
PVWA.
Our primary PTA server is PTAServer1, whose IP address is 10.0.0.2. We will connect to
it through PSM connections launched in the PVWA. In that way, all our actions on the
PTA will be recorded and auditable.
Ensure that all the VMs in Skytap – with the exception of PTAServer2 (we will start this
later) – are running before beginning the exercises.
As a first step, we will upgrade the PTA software on a CentOS Server. To do this, we will:
• Copy the upgrade files from the local drive on the Components server to the /tmp
directory on ptaserver1.
• Connect to ptaserver1 via the PSM.
• Modify the execution permissions on the upgrade script.
• Run the upgrade script.
Note: We have added the upgrade exercise here primarily to demonstrate how easy it is to
deploy a PTA.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
To perform this first step, we will connect to ptaserver1 with WINSCP via the PSM.
Note: You should be connected as the user Mike (password Cyberark1) to the server
Components. You should imagine that you are the Vault administrator and that
you are logged into your own workstation.
4. Find the account root for ptaserver1.acme.corp and open a connection using
WinSCP.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
6. Select and drag the two files pta_installer.sh and pta-12.2.3.0.tgz from the left to the
right, copying them to the /tmp directory.
7. When you have finished, you can close the WinSCP window, but leave the PVWA
open.
As our next task, we will open a PSM connection to the PTAServer, and run the upgrade
script to bring the primary PTA up to the same version as our CyberArk PAM installation.
cd /tmp/
chmod 700 pta_installer.sh
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
./pta_installer.sh
5. It will take a moment to extract the files. You will then receive a message saying it is
best to perform a snapshot before executing an upgrade. We will skip the snapshot,
so enter lower-case y and hit Enter to proceed with the upgrade.
The upgrade process will take a few minutes, enough time to go fetch a coffee or a tea.
At the end of the process, you will be advised to restart the server, type:
shutdown -r now
This will reboot the server, end the remote session, and close Putty.
We want all communication with the PTA servers to be secured and encrypted, which
means we will need to get PKI certificates for each of our servers: ptaserver1, which is
our primary server, and ptaserver2, which is our disaster recovery server.
Additionally, there is a DNS alias ptaserver that re-directs to either 10.0.0.2 or 10.0.0.3
(whichever responds). Our clients (other servers and end users) will be given the address
for the DNS alias – ptaserver.acme.corp as the target address, so each of our PTA
servers must be able to identify itself as either itself or the DNS alias. To achieve this, we
will use the Subject Alternative Name (SAN) parameter in the certificate.
The CyberArk PTA has a built-in mechanism for generating certificate requests. We will:
• Generate a certificate signing request (CSR) for our first PTA server
• Submit that request to the Cyber-Ark-Demo Certification Authority for
signature
• Import the signed certificate into the ptaserver1 machine
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
Generating a CSR
In this section, we will use a PTA utility to generate a certificate signing request, or
CSR.
1. On the Components server, log into the PVWA as Mike and open another SSH
connection with account root to ptaserver1.acme.corp.
/opt/tomcat/utility/run.sh
Note: You can jump to this directory with the PTA shortcut UTILITYDIR
4. Enter the host name (the DNS alias) of the PTA Host Name: ptaserver.acme.corp
dns:ptaserver1.acme.corp,ip:10.0.0.2
The whole process should look like the screen below. The data entered has been
highlighted for clarity.
Your action: 14
Action in progress...
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
Action completed
Exiting utility.
[root@PTAServer utility]#
Copy the CSR information in the PuTTY window (highlighted in green above) to Notepad.
You can do this by selecting the text in the PuTTy window, hitting Enter, and then pasting
the text into Notepad.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
Note: If you prefer, you can use WinSCP to get the generated CSR file from the PTA
server. Use the root account on 10.0.0.2 in the PVWA. The file is located at
/opt/tomcat/ca/ptaserver.csr.
In this section, we will submit the CSR for signature to the Microsoft Active Directory
Certificate Services for ACME.corp.
1. Launch Internet Explorer (there is a shortcut in the task bar). You should
automatically arrive at the following site:
https://dc01.acme.corp/certsrv
4. Copy all the contents of the CSR and paste it into the relevant box as shown below
and select ACME Server from the Certificate Template drop down menu.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
5. Click Submit. You will be asked to confirm the creation of a certificate. Click Yes.
6. In the next screen, select Download certificate, making sure DER encoded is
selected.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
7. Save the file as pta.cer to c:\CYBR_Files, replacing the file that is there.
Note: You should now have two certificate files in your CYBR_Files folder: pta.cer and
acme.cer. The latter file is the certificate for the Root Authority and the two files
together represent the entire authority chain.
In this section, we will upload our new certificate (pta.cer) and the certification authority
Root CA certificate (acme.cer) to the PTA server, and then run a script to associate these
certificates with our PTA server.
Warning: This process is not tolerant of mistakes. As you proceed, enter the information
carefully and then double-check that you have entered the correct information
before hitting the Enter key. If you make an error, you will have to start again from
the beginning and generate a new CSR. You have been warned.
1. Open another connection to the ptaserver1, this time using WinSCP as root to
ptaserver1.acme.corp (via the PSM, of course) and copy both certificate files –
pta.cer and acme.cer – from C:\CYBR_Files\ to the PTA server, placing them in the
/tmp/ folder.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
Note: Make sure you place them in /tmp and not a sub-directory by accident.
2. You can close the WinSCP connection and switch back to the SSH connection,
which should still be open. We are going to run the same script again from the
UTILITYDIR folder:
./run.sh
3. This time choose option 15. Installing SSL Certificate Chain. Here, we will:
Your action: 15
Action in progress...
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
Action completed
Exiting utility.
[root@PTAServer utility]#
Note: Although it states that this step requires Vault Admin credentials, it does not prompt
for authentication. You can ignore this.
The Preparation Wizard, or PrepWiz, is a script that you run on the PTA server to
integrate it with your corporate environment. There are 18 steps in the process and we will
walk through them in this section.
If you are not still connected to PTAServer1, in Components launch a Putty via the PSM
session using the root account on ptaserver1.acme.corp.
1. Run the following CyberArk PTA shortcut command to jump to the PrepWiz folder:
PREPWIZDIR
./run.sh
First you need to accept the terms of CyberArk’s End User License Agreement. Type y
and then press Enter to accept the EULA (End User License Agreement).
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
In this step, the Wizard detects our PTA server’s current IP address – 10.0.0.2 – type n
and hit Enter not to change this value. The system then detects our current DNS server
and we do not need to enter the IP addresses of any additional DNS servers as we only
have one: 10.0.0.1, so enter n and hit Enter.
DNS configuration
Found existing DNS server: 10.0.0.1
Testing configuration... ping - to perform verification of DNS
Configuration test was completed successfully
Would you like to specify an additional DNS server (y/n)? [n]: n
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
PTA requires a list of each domain name with its corresponding NETBIOS
(pre-Windows 2000) name to better identify each domain name in the
data.
You must perform this step for each domain in each Active Directory
that is monitored by PTA. For more information specify 'help'.
Would you like to specify domain names mapping configuration (y/n)?: n
We will use the time zone for London – right/Europe/London – which is the zone set for
our virtual machines. We will also enter the date and time manually (use the time on your
Windows server) and we will say no to synchronizing with an NTP server.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
This is an optional step that we will perform. There are a number of sub-steps, so we will
break it down.
First, we say ‘yes’ y to the optional step and then configure the connection to the Vault,
providing the IP address 10.0.10.1, the port (accept the default), enter n to say no to
configuring a DR Vault.
Then we provide the user name and password of a CyberArk user with the rights to create
safes and users (we will use the built-in Administrator account and the password
Cyberark1).
Note: In the section below, we have inserted xxxxxxxxx to show where you need to enter
the password, however these x’s will not actually appear.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
Here we will say yes to loading the user and safe activities from the Vault to the PTA
database and confirm the number of days (180) of activities. This step provides the PTA
with the activity history of the Vault prior to the installation of the PTA. If you were to say
‘no’ to this option, the PTA would be starting off with a blank slate, as it were.
In this step we confirm the creation of a behavior profile for what is considered “normal”.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
This step configures which IP addresses are authorized to forward information to the PTA.
We will accept from all addresses (although this is NOT the recommendation), so enter All
and hit Enter.
Specify the source host IPs that are authorized to forward messages to
PTA, separated by a comma (for example: 11.22.33.44,11.22.33.55).
To allow all hosts types to forward messages to PTA, specify 'All'.
To prevent any host type from forwarding messages to PTA, specify
'None'.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
We will say yes to perform this optional step. We will say yes to the use of PTA agents.
We will say no to the installation of a network sensor machine.
Here we will skip Golden Ticket configuration. We will configure it manually later.
We will perform this optional step. We will skip encrypting the connection and then we will
enter the IP address of our mail server (10.0.0.1), confirm the default port (25), enter a no-
reply email address for the sender (CyberArk_PTA@cyber-ark-demo.local) and the
group address for the receiver of notifications (cyberarkvaultadmins@cyber-ark-
demo.local), and say no to mail server authentication. Finally, we will say ‘yes’ to a test
email. You will find a shortcut to the email server in your browser. Connect with the
account Mike with the password Cyberark1 and you should receive a test mail (see the
image below).
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
In this step we will create a password for the PTA maintenance user ptauser. We will use
Cyberark1.
Nothing to do here. This step launches automatically after the previous step.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
PTA services will automatically restart. This will take a couple of minutes at the end of
which you should see the following message:
shutdown -r now
In this section, we are going to log in to the PTA web dashboard, perform a required
password change, and upload the license file.
Tip: You can use the CyberArk PTA shortcut command UTILITYDIR and go directly to
this location.
2. Run the command to reset the default Administrator password for the web console.
./resetPtaAdminPass.sh
3. You will be prompted to continue resetting the Administrator’s password, type y and
then Enter.
4. Type in Cyberark1 as the password and then hit Enter and then retype Cyberark1 to
confirm the password and then hit Enter to confirm
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
6. Running the password reset requires entering a new password at first log in. Enter
the following credentials:
• Username: administrator
• Password: Cyberark1
7. You will now need to set a new password. Use the following as the new password:
CyberArk1234. You will need to enter the password twice.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
8. In the next window you will need to upload the PTA License. Use the browse button
and navigate to C:\PTA Course and select the file shown below to upload
PTA_NFR_CyberArkTraining_Until_2022-21-31.xml.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
9. If the page doesn’t refresh automatically, click the refresh button and you should
have access to the PTA dashboard as shown below:
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
Integrations
In this section, we will configure the connections between the PTA and the following
components:
• Vault
• Active Directory
• PVWA
• PSM
Vault Integration
In this section, we are going to integrate the PTA with the Vault by adding a syslog section
to the file dbparm.ini and updating the Vault’s PTA.xsl file to version 12.2.3.
Two files for this purpose have been prepared for the training and are already in a Safe
named xfer in the Vault, so we will connect to the Vault server and download these two
files.
Note: The first time you log into the Vault Windows server after a restart, you will have to
allow a script to run via UAC.
2. Log in to the PrivateArk Client as Administrator. There is a Safe named xfer. Open
the Safe and download the files Syslog_PTA_dbparm.txt and PTA.xsl. Place them
on the desktop or wherever is convenient. You can close the PrivateArk Client.
4. Open the dbparm.ini file using Notepad and replace the existing [SYSLOG] section
at the bottom of the file with the contents of the file Syslog_PTA_dbparm.txt:
[SYSLOG]
SyslogTranslatorFile=Syslog\PTA.xsl
SyslogServerPort=514
SyslogServerIP=10.0.0.2,10.0.0.3
SyslogServerProtocol=UDP
SyslogMessageCodeFilter=7,24,31,294,295,300,302,308,359,361,372,373,41
1,412,427,428,436,471,4624,4720,4723,4724,4732
UseLegacySyslogFormat=No
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
6. Restart the Private Ark Server Service using Windows Services for the
configuration to take effect (say “Yes” to also restarting the Cyber-Ark Event
Notification Engine). Check ITALOG.log for errors before proceeding.
7. Once you have done this, you can log off the Vault server and return to
Components.
8. Login to the PTA Dashboard and you should now see Vault data coming through.
Active Directory
In this section, we will configure the PTA to connect to your organization’s Active Directory
server using LDAP/S.
2. Go to the SETTINGS tab and click the AD Connectivity link in the left-hand pane.
3. In the Global Catalog server address field, enter the FQDN of the Active Directory
server: dc01.acme.corp.
4. Select Yes for the LDAP over SSL option. The value for the Global Catalog port
will change automatically to 3269.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
5. For the SSL certificate field, click the Browse button, go to the C:\CYBR_Files
directory and select the domain controller certificate acme.cer. Note that the path to
the file will appear as: C:\fakepath\acme.cer. This is normal.
6. In the User Principle Name field enter the name of the user account that will be
used to enable the PTA Server to scan the AD Server (the bind account):
bindaccount@acme.corp
11. Click on DASHBOARD in the top bar and you should see that the PTA is now
connected to Active Directory and that it has already detected a risk in our Active
Directory configuration. This change may take a moment to appear.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
12. While still in the PTA Dashboard, go to the Settings tab and click the PAS
Connectivity link in the left pane.
PVWA
We configured the connection to CyberArk PAM during the 18-step Preparation Wizard
executed earlier. Here, we are going to review our configuration and then activate some
additional PTA functionality through the PVWA.
To begin, let’s make sure that the PVWA has updated its configuration based on the
recent changes by restarting the IIS server, which you can do by opening a command line
with Run as administrator, typing iisreset, and hitting Enter.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
2. Browse to Security -> Security Configurations and enable all the options, as
shown below.
PSM
Now we are going to configure the Privileged Session Manager to exchange information
with the PTA.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
2. Go to Options > Privileged Session Management > General Settings > Server
Settings > Live Sessions Monitoring Settings. Set AllowPSMNotifications to
Yes and click Apply. Verify that the parameter MonitoringLevel is set to Control.
This allows members of the group PSMLiveSessionTerminators to terminate PSM
sessions. CyberArk Vault Admins have already been added to this group.
3. Next, verify that the group PSMLiveSessionTerminators is set for the two
parameters Terminating Live Sessions Users and Groups and Suspending Live
Sessions Users and Groups under Live Sessions Monitoring Settings.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
We will perform this action using an RDP connection on the PSM. In that way, our actions
will be recorded and can be monitored.
This task builds a script that is then used to install the PTA Agent on a Windows server
with the appropriate parameters.
2. Find the domain account administrator and select the machine target-win.acme.corp.
Click Connect to open an RDP connection via the PSM to the target server.
3. Once the RDP connection is created, browse to the folder C:\PTA Course using
Windows Explorer.
4. Right-click on the file PTA Agent Script Creator.exe and select Run as
administrator.
5. Enter the FQDN of the PTA servers – ptaserver.acme.corp – and hit Enter
6. Leave the default PTA Management Port and PTA Data Port by hitting Enter on
both.
8. For the subject name of the certificate, enter target-win.acme.corp. This is case
sensitive.
9. Leave the default location %TEMP% for the installation log by entering n.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
10. Next say n to leave the default location for the PTA Agent MSI file
12. To exit the configuration tool, hit Enter a last time. This will close the command-line.
Now we are going to open the file that was created during the last exercise and run the
command as an administrator. Because the command contains the full path to the MSI
installation file, you can run this from anywhere, but you must run it as administrator.
1. Next go back to the PTA Course folder and open the file PTAAgentInstallerOutput.txt,
do a Select All, and then Copy.
3. Paste the contents of the output file into the command line and hit Enter. You will
need to wait a moment for the installation to complete.
Note: It will look as if nothing is happening for a minute or two, but it is working. Be
patient. You should soon see a pop-up CMD window (see image below) that will
auto-dismiss after 5 seconds to inform you that the installation has been successful.
1. Open Windows Services (by typing “services.msc” or using the shortcut in the task
bar).
2. A new service called CyberArk Privileged Threat Analytics should now appear with
the status Running.
4. Verify the parameters highlighted in yellow below, making sure that the values are
exactly as shown. If they are not, fix them now, save the file, and restart the PTA
Agent service.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
[Forwarder]
Windows_Event_Log=Security
[ServerInfo]
PTA_IP_Address=ptaserver.acme.corp
SSL_Data_Port=6514
SSL_Control_Port=7514
Data_Port=11615
[DCInfo]
Network_Interface_ID=1
Server_Verification_Required=true
Windows_Event_Enabled=true
Network_Enabled=false
[ClientCertificate]
Client_Certificate_Enabled=true
Client_Certificate_Subject_Name=target-win.acme.corp
Note: You will probably have to change the first parameter Windows_Event_Log. The
ForwardedEvents option is used only when the agent is installed on a Windows
Event Forwarding [WEF] Server. Restart the CyberArk Privileged Threat
Analytics service once you have made the change and saved the file.
6. Select 1 to print statistics and you should see the following that the Agent was
successful in connecting to the PTA server.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
8. Finally, when you close down the RDP session, make sure that you only log out of
the session. Do not shut down the machine by mistake. Click on the Windows Start
menu, then click on the user name Administrator, and click on Sign out.
Note: Log into the PTA Dashboard. You should see that you have a new source of data
labelled SIEM.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
First, we need to prepare the environment a little for our exercises. Then we will be
looking at:
RootXX Users
We are going to make a small change to the rules for detecting privileged logins to
Unix/Linux servers. By default, the PTA is configured to detect logins from any user
named “root”. We want to catch “root” and every variation of root, such as “root01”,
“root02”, etc.
3. Scroll down the list until you see the entry for the Platform unix and the user root.
4. Double-click the entry and change root to root.* (that is: root period asterisk) Click
the Save button.
5. As a last measure, just to make sure that the PVWA updates its configuration, run an
IISRESET. This is not required, but it will help us move more quickly.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
To detect Suspected Credential Theft, the PTA compares the login time on the target
machine with the last time the password was retrieved from the Vault. By default, the PTA
creates a Suspected Credential Theft event if the password was not retrieved within the
last 8 hours (480 minutes). For the purposes of this lab, we will configure the PTA to raise
an alert if the password was not retrieved within the last 3 minutes.
Note: To save time, we are also going to add a parameter that will help us with a later
exercise on Active Directory security and unconstrained delegation.
2. Enter the shortcut “LOCALPARM” (without the quotes). This will open the local
system properties file (/opt/tomcat/diamondresources/local/system.properties) in a vi-
like editor.
3. Add these two new lines to the file (it does not really matter where).
not_via_pim_time_window=3
unconstrained_delegation_accounts_attributes_query_task_trigger=0 */3
* * * ?
Note: If you struggle with vi, don’t panic! You are not alone.
Don’t use the numeric keypad.
Use the Insert button to enter edit mode.
Use the Escape button to exit edit mode.
You can paste from the desktop using a right-click.
:wq to save your changes (colon + w + q).
:q! to panic and exit the file without saving so that you can start again (colon + q + !)
4. To ensure that the change to the local parameters are taken into account, restart the
PTA service with the command:
In this section you will observe how the PTA detects when privileged accounts are being
used and then check if they are being managed by CyberArk. If the account is not
managed, the PTA will generate a security alert and add the account to the list of Pending
Accounts. A Vault administrator can then onboard the account to the relevant safe.
Automatic Onboarding Rules can also be applied starting from CyberArk PAM v11.4.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
Note: Due to the constrained resources of our training environment, you will need to wait a
minute or two between restarting the PTA service and provoking an unmanaged
privileged access alert. If the alert does not appear the first time, try it again.
First, we need to establish an SSH session to the target Linux server to create an alert on
the PTA, which we will review using the Security pane in the PVWA.
1. Open PuTTY from the Components server (not through the PVWA – you will find a
shortcut in the toolbar) and open an SSH session to target-lin as root02 (password:
Cyberark1). You can use the PuTTY shortcut Target Linux.
2. Login to the PVWA as Mike and go to Security > Security Events and verify that
you can see the “Unmanaged privileged account” alert related to root02. Again,
this might take a moment to appear.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
Note: This detected event is a result of the change we made earlier to the Privileged
Groups and Users. Because this account matches the regular expression root.*,
the PTA sees this event as an unmanaged privileged access. And because we set
the rule for Unmanaged Privileged Accounts to Add To Pending under the
Security Configurations / Automatic Remediations, this account is now in the
Pending List waiting to be onboarded. You can add other usernames (using
regular expressions) that should also be detected by the PTA as privileged accounts
to be managed by CyberArk PAM.
3. Go to Accounts > Pending & Discovery > Pending Accounts. Select root02 from
the list (use “Refine By” to search for the account if needed) and click on Onboard
Accounts.
4. Onboard the account to the LIN-PTA safe and associate the account with the Linux
via SSH 30 platform.
5. Use the option Set a default password and enter Cyberark1 as the default
password (do not use the Reconcile option).
In this section you will configure the PTA to detect when privileged accounts are being
used without first retrieving the password from CyberArk PAM and trigger the CPM to
initiate a password change.
1. Login to the PVWA as Mike and go to POLICIES > Safes. Hover over the LIN-PTA
safe and click on the Members button at the end of the line.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
2. Click on Add Member and search for pta in the Vault. This will find both the
PTAUser and the PTAAppUser. First, select the PTAUser. Keep the default
permissions and expand Account Management. Select “Initiate CPM account
management operations” and click on Add.
3. Repeat the step above to add the PTAAppUser to the LIN-PTA safe as well
(including the “Initiate CPM account management operations” permission).
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
By this time, the three minutes that we set with the parameter not_via_pim_time_window
should have expired.
5. Once again, open PuTTY from the Components server (not via the PVWA) and
open an SSH session to target-lin as root02 (the password should still be
Cyberark1).
6. Login to the PVWA as Mike and go to Security > Security Events and verify that
you can see the “Suspected Credentials Theft” alert related to root02.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
7. In the Accounts tab, go to the root02 account and verify that the CPM has changed
the password (or that a change is planned; it may take a couple of minutes).
8. Open the Activities tab to verify that the CPM changed the password after the PTA
detected the suspected credential theft alert and under Activities added the file
category ResetImmediately = ChangeTask.
9. As a final step, go back to the Security Events view and click the Close button. A
pop-up will ask you to confirm the action. Click Close Event to inform the PTA that
the incident has been handled.
In this section you will configure the PTA to detect when a password is changed manually,
bypassing the CPM, and have the PTA trigger the CPM to reconcile the password.
For this exercise to work, we have configured the existing account root01 as a reconcile
account for the platform Linux via SSH 30.
1. Login to the PVWA as Mike and go to Accounts > Accounts View, select the root02
account, and launch an SSH connection via the PSM.
2. Type the following command to change the password of root02 back to Cyberark1:
passwd root02
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
3. Go back to the PVWA as Mike and go to Security > Security Events. You should
be able to see two new alerts: one for “Suspicious activities detected in a
privileged session”, and one for “Suspicious password change”.
Explanation: Because the Platform has automatic reconciliation configured, we have configured
the PTA to perform a reconciliation when a suspicious password change is
detected. The password will be changed from the one set by the user to a random
one known only to the Vault.
4. Still in the Security Events view, click on the Session ID. This will bring us to the
Monitoring view where we can see additional information about the session in
question, which is still running.
5. Here we have the possibility to terminate the session, thereby cutting off the
attacker’s access; suspend the session if we have a doubt that it is an attack; to
resume a previously suspended session; and to monitor sessions live. We have
already seen this functionality in the PAM Administration training, so just click
Terminate to end the session. You will have to click on the RDP file sent to Mike to
terminate the Putty session.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
6. Go to Accounts > Accounts View and select root02. Verify that root02 was indeed
reconciled by the CPM (remember that a reconcile may take a little longer than a
password change).
You may see a message like the one below. This is misleading, just be patient.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
Note: If for some reason you do not see the automatic reconcile, check your security
configuration to make sure that automatic rotation is activated for suspicious
credential theft.
In this section, we will configure a rule that says that if anyone opens the application used
to manage our email server, that session will be suspended. Before we begin, let’s just
make sure that everything is ready for this exercise.
Now log into Private Ark Client and browse to Tools → Administrative Tools → Users
and Groups and make sure that the AD group CyberArk Vault Admins is a member of
the groups Auditors and PSMLiveSessionTerminators. This should also be the case,
but it never hurts to check.
5. In the Description field enter This is to prevent unauthorized use of the Email
Server Admin Console.
6. In the Session Response field, select Suspend, ensure that the status is Active,
and click Add.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
1. For convenience, leave open the first PVWA session and log into the PVWA again
using another browser or a new incognito session with the LDAP username John and
the password Cyberark1.
2. Go to the Accounts view and locate the credentials for the domain account
administrator on acme.corp and launch a PSM connection to the Domain Controller
dc01.acme.corp.
3. Open the Windows Start menu and select MailEnable. This is the administration
tool for the email server.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
5. Go back to the PVWA session you opened as Mike and go to Security Events and
look for these recent events.
6. Click on the Resume button to allow John to shut down the offending application.
Go back to the RDP session for DC01, close the MailEnable application, and log off
the machine (do NOT shut down the machine).
Tip: If you want to give John the right to edit the email server, you could create an
exception for him in the rules.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
In this section you will configure the PTA to detect when a risky command is used in a
privileged session and to terminate the session automatically.
1. Login to the PVWA as Mike and go to Security > Security Configurations >
Privileged Session Analysis and Response. Find the SSH rule for the passwd
command (the *Nix command for changing passwords) and click on Edit.
2. Configure the risk to a score of 95 and the Session Response to Terminate. Click
on Save.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
3. Go to Accounts > Accounts View and select the root02 account. Launch a
privileged session by clicking on the Connect button.
4. When the session opens, try to run the passwd root02 command again. The
session should close immediately when you hit Enter.
5. Back in the PVWA and verify that you can see the recent security alerts and that the
last session got a score of 95. You can close this event and any others that we have
already managed.
In this section, we will tweak the rule we created in the last section so that if a designated
user needs to execute passwd during a session, their session will not be suspended out.
1. Go back to Security > Security Configurations, select the passwd rule, and click
the Edit button.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
3. Enter the user name Carlos in the field, hit Enter (this is required to enter the user
name into the field), and then click the Change Scope button. You will then be
returned to Edit Rule dialogue. Click Save to close the dialogue.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
4. To test the rule, you can log in to the PVWA as the user Carlos and run the passwd
command against any of the accounts in the LIN-PTA safe. Your session should not
be terminated.
Note: Because we have set a rule to reconcile any account that is changed outside of the
CPM, any account modified in this way will automatically be reconciled.
The PTA can also be configured to onboard newly discovered privileged accounts
automatically through the use of Onboarding Rules. In order to do this, we need to give
the PTA users - PTAAppUser and PTAUser – access to the target Safe so that they can
create and modify accounts.
3. Modify the rights for the Vault users PTAAppUser and PTAUser by adding the
following Safe authorizations:
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
1. Next click on Accounts -> Onboarding Rules and create a new rule using the
wizard with the following parameters:
Safe LIN-PTA
With this rule, when the PTA detects the use of a new unmanaged Unix or Linux account,
it will automatically add the account to CyberArk PAM and place it in the LIN-PTA Safe.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
1. Open a new PuTTY session (not via the PVWA) to the Target Linux machine at
10.0.0.20 with root03 and password Cyberark1.
2. Now go back to the PVWA and Security > Security Events. You should see a new
event with risk score of 30 and that remediation has been initiated. The account has
been automatically onboarded and reconciled thanks to our rule.
3. Next, go to the Accounts tab in PVWA and find the recently onboarded root03
account and verify that it has been onboarded and reconciled.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
Note: The PTA Agent on a domain controller (or the Network Sensor machine) are not
part of the Core PAM basic license and requires an additional license.
Now we are ready to install the PTA Agent on the domain controller. This process is
similar, although not identical, to installing the Agent on a regular Windows server.
As when we installed the PTA Agent on a Windows server, this process is divided into two
tasks:
1. Launch a PSM connection with the administrator account to dc01 in the PVWA.
5. Leave the default PTA Management Port and PTA Data Port by hitting Enter on
both
6. We are going to authenticate both our server and our client, so enter Y for server
authentication and client authentication and enter the FQDN as the Subject Name
exactly as: ptaagent (this is linked to a certificate specifically created for this purpose
in this lab).
7. Leave the default location “%TEMP%” for the installation log by entering n.
8. Next type n to leave the default location for the PTA Agent MSI file.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
1. Next go back to the PTA Course folder and open the file PTAAgentInstallerOutput.txt
3. As before, you will need to wait a moment for the installation to complete.
Note: You should see a pop-up CMD window appearing that will auto dismiss in 5 seconds
to inform you that the installation has been successful
4. Open the Services window and you should see a new service called CyberArk
Privileged Threat Analytics with the status Started.
5. Open the properties for the service and change the Startup type from Automatic to
Automatic (Delayed Start).
6. In the Recovery tab, change the response to First failure to Restart the service.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
These changes will help ensure the continuity of the service in the event the server is
restarted.
Verifying
2. Open the file config.ini and verify the values highlighted in yellow below. If the
information is not exactly as shown, correct it in the file, save your changes, and then
restart the service.
[Forwarder]
Windows_Event_Log=ForwardedEvents
[ServerInfo]
PTA_IP_Address=ptaserver.acme.corp
SSL_Data_Port=6514
SSL_Control_Port=7514
Data_Port=11615
[DCInfo]
Network_Interface_ID=1
Server_Verification_Required=true
Windows_Event_Enabled=false
Network_Enabled=true
[ClientCertificate]
Client_Certificate_Enabled=true
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
Client_Certificate_Subject_Name=ptaagent
4. Enter 1 to print statistics and you should see the following that the Agent was
successful in connecting to the PTA server.
5. Return to the PTA Dashboard and you should see at the bottom all 5 sources of
inputs from the Vault, SIEM, Unix, Network Sensor, and AD.
Note: You may need to restart your PTA server for the dashboard to be refreshed. Run
“service appmgr restart” on the PTA command line.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
Running AGENTSHELL
2. Enter the IP address for the domain controller: 10.0.0.1 and hit Enter. Then enter 1
and Enter to show statistics.
Note: You may observe a number of failed connection attempts in the statistics. This is
the PTA Agent attempting to connect to the second PTA server, which is not yet
online.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
3. Enter a to change target and perform the same test for 10.0.21.1 to check for agent
connectivity. When you are finished, enter q to quit.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
Kerberos Attacks
In this section, we are going to run a number of attack-simulation tools to generate data for
capture by our Network Sensor and for analysis by the PTA. The attacks we will simulate
are:
• Overpass-the-Hash
• DCSync
• Golden Ticket
Note: Before running these exercises, verify that the CyberArk Privileged Threat
Analytics service is up and running on the domain controller DC01.
Overpass-the-Hash
Our friend John wants to be able to connect with his Active Directory account to Target-
Win so that he can perform administrative tasks on that server without bothering to go
through CyberArk PAM (bad John!), so he has added himself to the local administrator
group.
Unfortunately, John is not too careful. He got phished and someone was able to get his
password. That person is going to log in to Target-Win and wait for a domain
administrator to log in so that she can grab the hash and connect to the domain controller.
The purpose of this exercise is to demonstrate the risks of not respecting the rules of best
practice and how CyberArk can protect an organization from this kind of behavior and
against the attacks to which this behavior exposes your organization.
We performed this task earlier for the LIN-PTA safe. Now we are going to do it for the
Safe where our Windows accounts are stored.
1. Go to the Policies > Safes window, click the Win-PTA safe, and then click
Members.
3. Give the user the same rights as we did on the Safe LIN-PTA.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
Now the attacker performs her reconnaissance. She is going to connect to Target-Win
with the password she phished from John.
1. Go to the Skytap environment view and click on the server labelled Target Windows.
This is the machine Target-Win.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
3. Open Windows Explorer and browse to c:\KAG_V5, right-click on the Windows batch
file KerberosAttacksGenerator.bat and select Run as administrator.
Tom, who has access to a domain administrator account, wants to perform some
maintenance on target-win.
1. On Components, connect to the PVWA as tom and launch a connection with the
account admin01 to the machine target-win.
2. Do not close the RDP session open, leave it open. You don’t need to do anything.
The hash of admin01’s account is now in the system memory of target-win. Admin01 is a
domain administrator, so if the hacker can grab that hash, she can use it to get a foothold
on the domain controller.
1. Return to false John’s session on target-win. In the PowerShell window, after the
tool checks the pre-requisites, enter 1 and hit Enter to launch an Overpass-the-
Hash attack.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
2. The tool will then scan the memory for credentials. It should find admin01, among
others, with each credential assigned a number. Enter the number associated with
the admin01 account. In the example below, this is number 1, but on your system it
might be different.
3. Next, the tool proposes to use 1 – AES hash, 2 – NTLM hash, or 3 – both. Enter 3
to send both hashes (this will also increase our chances of success).
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
4. If successful, a new CMD window will open with a remote session on the domain
controller with the credentials admin01 (make sure you get the new shell otherwise
the attack was not successful, and you will not see an event in the PTA Dashboard).
Note: You may need to run this a second time if it does not work the first.
The response
1. Go back to the PVWA as Mike and go to Security > Security Events on the PVWA
and look for this event. Notice the message “Initiated remediation”. This indicates
that the CyberArk has performed an automatic action in relation to this event.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
2. Go to Accounts > Accounts View and locate the admin01 account. You should see
that the password has been changed.
Note: As a follow-up to this, the security operations team would have to identify and
terminate the remote session initiated by the hacker with the stolen password.
Also, it would probably be a good idea to restrict access to domain administrator
accounts and to limit those accounts only to servers where they have legitimate
business.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
DCSync
For this exercise, we are going to use DCSync. This technique allows an attacker to
mimic the behavior of another domain controller and to induce the real controller to share
information about the password history of a particular account in the form of hashes. If the
attacker is able then to crack the hashes, she will then have an idea about the
administrator’s strategy for generating passwords and perhaps be able to guess the next
one.
For this operation, we will imagine that a hacker has the credentials of a user who can
synchronize a domain controller. A domain admin can do that.
The attack
1. Logon to target-win again through Skytap, but this time use the account admin02.
2. Run the Kerberos Attacks Generator batch file with the option Run as
administrator as we did before, bypassing execution policy. The KAG is in
c:\KAG_V5.
4. Enter the name of the account for which you want to retrieve the information:
administrator and watch the results.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
The attack has been successful and the attacker now has a wealth of data about the
domain administrator account.
The response
1. Log in to PVWA as Mike and look for this recent event under Security Events.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
There are two entries related to this attack. The first one is an unmanaged privilege
account notification. This tells us that someone logged into target-win using a privileged
account – admin02 – that is not under CyberArk PAM management. The next step would
be to onboard this account and perform a password change.
The second notification informs us of the DCSync attack. When seen in the context of the
previous message, this becomes an extremely high-risk event and must be dealt with
immediately. We would need to terminate admin02’s session, find out which accounts
were compromised, and rotate them.
As a final step, you would log into the Security Events and close it.
Golden Ticket
In this section we will detect a Golden Ticket attack. In a Golden Ticket attack, the attacker
gains control over the domain’s Key Distribution Service account (KRBTGT account) by
stealing its NTLM hash. This allows the attacker to generate Ticket Granting Tickets
(TGTs) for any account in the Active Directory domain. With valid TGTs, the attacker can
request access to any resource/system on a domain from the Ticket Granting Service
(TGS).
In this section, we are going to configure Golden Ticket detection, which we skipped over
during the initial configuration. Note that we will say No to the first two options presented
to us.
./goldenTicketConfiguration.sh
3. Enter n not to configure Step 1/3 – PAS connection configuration (we have
already done this).
4. Enter n not to configure Step 2/3 – Network sensor and PTA Agent connection
configuration (we have already done this).
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
11. Enter the full object name of the specially created domain account: cyberark-pta-
golden. The easiest way to obtain this name is by locating the account in the PVWA,
opening it in the classic interface, and copying and pasting the name from there. In
this way, you can be absolutely sure that you have the correct name.
Note: This is the object name for a dedicated service account on the domain controller and
is already in CyberArk PAM. This special domain user needs to be created with the
following replication permissions:
- Replicating Directory Changes
- Replicating Directory Changes All
- Replicating Directory Changes In Filtered Set.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
14. PTA Server will now finish with the Golden Ticket configuration and restart the
appmgr service automatically.
The attack
1. If you are not already logged on, logon to target-win.acme.corp again through
Skytap, using the account admin02.
2. Run the Kerberos Attacks Generator as we did before, bypassing execution policy
and choosing the option Run as administrator. The KAG is in c:\KAG_V5.
4. Enter Joker when asked to choose a username to impersonate, although you can
choose anything you want.
Note: The KAG tool will now create the Golden Ticket for the user “Joker”, who is not a
valid user in your domain, but because the tool is able to steal the hash of the
domain krbtgt (Kerberos ticket generating ticket) account and inject the created
ticket into the current session.
5. To verify the attack worked, make sure you receive the shell on DC01 Joker
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
The response
1. Log in to PVWA and under Security Events look for this recent event.
Note: You may see more than one event related to this attack.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
• Exposed credentials
• Unmanaged domain accounts
• Unconstrained delegation
Exposed Credentials
For this to work, we need to “break” our PTA LDAP/S connection by reconfiguring it to use
regular unencrypted LDAP.
Note: Obviously, this is not a recommendation. We are doing this only so that we may see
how the PTA detects this risk.
1. Log in to the PTA Dashboard with the administrator account and password
CyberArk1234.
3. Change the parameter LDAP over SSL to No. Notice the port number changes.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
4. Save your changes and then log out of the PTA Dashboard.
5. Now log in to the PVWA and in Security -> Security Events, you can see the
Exposed Credentials risk.
6. Once tested, reactivate the connection over LDAP/S and save the modification.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
Unconstrained Delegation
The PTA detects these configurations and displays them so that administrators can make
decisions about what to do. There may be a reason why a service account is configured
this way. In any case, this account is a good candidate for onboarding to the Vault.
If you want to remove this risky delegation, log on to the domain controller with the
administrator account, go to the Users container and locate the scanaccount01. Right-
click on it and select Properties, go to the Delegation tab, and select Do not trust this
user for delegation. Apply your changes.
You can run the following command on the domain controller to remove the SPN:
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
In this section, we are going to onboard the PTA Dashboard administrator account to the
Vault and connect via the PSM.
1. Log in to the PVWA as Mike and create a new Safe called it CyberArk Accounts.
Address ptaserver.acme.corp
Username administrator
Password CyberArk1234
Port 443
Ignore certificates No
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
Note: You may have to run it twice. Also, if you were previously logged into the PTA
normally (through Chrome) and did not log out before closing your session, you may
need to log out that session before this will work.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
Troubleshooting
Shortcuts Utility
The output of this command is included as an appendix at the end of this guide.
3. Take a couple of minutes to go through the Aliases and see what information is
presented for each.
4. Spend some time looking into the diamond.log. This is the main log file for your
PTA server and you will need to use some basic Unix commands such as cat, grep,
| (pipe), > (redirect to file) and other commands to extract the data that will assist in
your troubleshooting. For example, the following would output all occurrences of the
string “administrator” on 25 February 2022:
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
5. Execute “RUN_DIAGNOSTICS” on your PTA server and look at the generated log for
any issues or misconfigurations.
Note: This is a lengthy process, so you might want to run it just before going on a break.
1. You can adjust log levels with the script changeLogLevel.sh (case sensitive). This
script can be run from any location without entering the full path.
2. Change the debug level for Listener to debug as shown below (refer to
documentation)
3. Run “shortcuts.sh 13”. This will output only the most recent incoming syslog
messages from all sources. See documentation and/or the previous exercise for
more information.
4. Next try connecting to Target Linux machine at 10.0.0.20 via PSM or using PuTTY to
create some Syslog events.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
The PTA has a built-in tool that can create an export of system configuration information
that can be used when interacting with CyberArk Support about any issues you may
encounter.
2. Enter the number of days of prior records to include (type in “3”, for example).
5. Go to /opt/tomcat/logs folder and look for the recently created archived file. When
working with CyberArk Support, provide them with this archive file.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
PTA DR Server
In this section, we are going to configure our DR server, a process that is very much like
the process for configuring the primary server. We will generate a certificate ptaserver2
as we did for for ptaserver1 (the difference will be in the SAN), and run another wizard.
First, make sure that the virtual machine for PTAServer2 is started in Skytap. It is
programmed not to start automatically.
Note: The PTA version on the ptaserver2 machine has already been installed with 12.2.3
in preparation for this training, so there is no need to run an installation.
Getting a Certificate
UTILITYDIR
./run.sh
ptaserver.acme.corp
ACME
Training
New York
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
NY
US
ptaserver.acme.corp
dns:ptaserver2.acme.corp,ip:10.0.0.3
Note: Once again, you can either copy the CSR from the PuTTY screen or follow the
instructions below to get the file from the 10.0.0.3 server.
12. Open a WinSCP connection to the PTAServer2 from via the PVWA. Make sure the
option Map local drives is enabled.
15. Copy the following file to the Downloads directory pta_server.csr, you can drag and
drop the file within WinSCP.
1. Launch Internet Explorer and you will arrive at the Microsoft Active Directory
Certificate Services page:
https://dc01.acme.corp/certsrv
5. Copy all the contents of the pta_server.csr file (or from the PuTTY window) and paste
it in the relevant box as shown below:
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
6. Select ACME Server from the Certificate Template drop-down menu and click
Submit.
8. In the next screen select Download certificate, making sure it is DER encoded, and
save it as pta2.cer.
9. Return to the WinSCP application on ptaserver2 and transfer the files pta2.cer and
acme.cer (the Root authority certificate) to the PTA server, place both files in the
/tmp/ folder.
./run.sh
4. Select option 15
5. Enter the full path to your new server certificate, which should be:
/tmp/pta2.cer
6. When asked if you have a Root certificate type y and then press Enter
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
/tmp/acme.cer
8. When asked if you have an Intermediate certificate, type n and then press Enter
10. PTA services will now be restarted automatically, please allow a moment for this to
take place.
9 Steps
Now we will run the 9-step configuration wizard. It is shorter than the first wizard because
this DR server will take most of its configuration from the Primary server.
1. On the Components server, start an SSH session to the ptaserver2 (either with
PuTTY or via the PSM).
cd /opt/tomcat/utility/dr
./minimalPrepwiz.sh
4. Press y and then Enter to accept the EULA (the End User License Agreement, after
having read it carefully, of course).
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
right/Europe/London
10. Specify the current time in the system. Use Components date and current time as
system time. It should look something like:
06/29/2020 15:01
11. Enter n and then Enter not to configure synchronization with an NTP Server.
14. Step 7/9, it will create PTA maintenance user, type in the password:
Cyberark1
17. Step 9/9 - Setup Disaster Recovery, first enter y to agree to continue.
18. Enter the SAN in FQDN format for the Primary server:
ptaserver1.acme.corp
ptaserver2.acme.corp
Primary Setup
As the final step for DR configuration, we will run a short wizard on the primary server
telling it there is now a DR server.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
/opt/tomcat/utility/dr/setupPrimary.sh
ptaserver1.acme.corp
ptaserver2.acme.corp
7. Setup for DR on the primary PTA should finish successfully as per below
As a final step in DR setup, we are going to check on each server that it has a file
identifying its current role.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
4. Lastly, to verify both servers are online and communicating with each other, run the
following command on ptaserver1
RUN_DIAGNOSTICS P092
5. You should be able to see the following output, indicating both servers are online.
The process of failing over to the PTA DR server is a manual one. When an administrator
notices that the primary PTA has failed, he or she must log into the DR server and
promote it to the role of primary.
1. Log into the PVWA and open an SSH connection to the primary PTA server.
shutdown now
3. Now launch an SSH connection to the secondary server (PTAServer2) and run the
command:
/opt/tomcat/utility/dr/promoteDemote.sh
4. You will receive a warning asking whether you want to continue. Enter y:
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
This tool promotes the secondary PTA Server to Primary after the
primary Server fails. This tool can take some time to run and the
changes cannot be reversed.
We recommend taking a snapshot of each PTA Server before running the
tool.
Do you wish to continue? (y/n): y
5. You will then be prompted for the user name and password of a Vault user. Accept
Administrator and enter the password Cyberark1.
The script will perform its tasks and promote the secondary server to the primary role.
6. We will need to re-enter the bind account user password. We do not need to
reconfigure dbparm.ini because the Vault has been configured to forward syslog
messages to both IP addresses for the PTA servers.
7. After a few minutes, run the following on PTAServer2 to verify that it has been
promoted to the primary role:
ls /opt/pta/mode
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
Optional Exercises
Go to https://docs.cyberark.com and find the instructions for bringing a PTA server back
on-line after a failover.
The following exercise can be used as an additional test of the CyberArk PTA’s detection
capabilities. In this section we will detect a Golden Ticket attack. In this case we will
Mimikatz to generate the attack.
3. Run:
privilege::debug
Privilege ’20’ OK
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
lsadump::dcsync /user:krbtgt
6. Copy the following SID and Hash NTLM values to Notepad so that we can use them
later (highlighted in red boxes below). For the SID, we are not copying the full string,
actually dropping the last 3 digits, we only need the domain’s SID.
Hint: You can copy the information in the command window by clicking on the kiwi icon in
the upper left-hand corner of the window and selecting Edit -> Mark and then using
the mouse to select the text to copy.
7. Now enter the following, making sure to replace the values with the values captured
by mimikatz:
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
mimikatz #
misc::cmd
9. In the CMD window type “pushd \\DC01\c$” (Notice that you now have access to the
C drive of DC01 because you have injected the Kerberos Golden Ticket in memory
into the session).
Note: If this does not work immediately, try replacing “DC01” with the IP address of the
domain controller: 10.0.0.1 .
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
10. Open the Security Events page in PVWA and you should now see a new security
event indicating a Golden Ticket Attack.
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
Appendix
shortcuts.sh
1 - Output all errors in the last part of the main PTA log file,
follow the file and output any errors as the file grows
Command: tail -f /opt/tomcat/logs/diamond.log | grep "ERROR"
2 - Output all errors in the main PTA log file
Command: cat /opt/tomcat/logs/diamond.log | grep "ERROR" | less
3 - Output all listener metrics in the last part of the main PTA log
file, follow the file and output any listener metrics as the file
grows.
Use this:
To verify incoming traffic from the sensors (such as Vault,
Network Sensor, SIEM)
To verify the creation of audits per operation (such as Vault
retrieve password, Vault logon, Windows logon, Unix logon, Kerberos
traffic)
To verify that the syslogs from the various SIEMs (such as
ArcSight, QRadar, Splunk, and so on) are successfully accepted in PTA
Command: tail -f /opt/tomcat/logs/diamond.log | grep "metrics-
PTA-listener"
4 - Output all listener metrics in the main PTA log file
Use this:
To verify incoming traffic from the sensors (such as Vault,
Network Sensor, SIEM)
To verify the creation of audits per operation (such as Vault
retrieve password, Vault logon, Windows logon, Unix logon, Kerberos
traffic)
To verify that the syslogs from the various SIEMs (such as
ArcSight, QRadar, Splunk, and so on) are successfully accepted in PTA
Command: cat /opt/tomcat/logs/diamond.log | grep "metrics-PTA-
listener" | less
5 - Output all sampler metrics in the last part of the main PTA log
file, follow the file and output any sampler metrics as the file
grows.
Use this:
To verify incident creation and that the outbound mail or
syslogs were sent
To verify mitigation results, such as rotate password upon
suspected credential theft
Command: tail -f /opt/tomcat/logs/diamond.log | grep "metrics-
PTA-sampler"
6 - Output all sampler metrics in the main PTA log file
Use this:
To verify incident creation and that the outbound mail or
syslogs were sent
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
=====Aliases:=====
LOGSDIR - cd /opt/tomcat/logs
TAILDIAMOND - tail -f /opt/tomcat/logs/diamond.log
LESSDIAMOND - less /opt/tomcat/logs/diamond.log
DEFAULTPARM - less /opt/tomcat/diamond-
resources/default/systemparm.properties
LOCALPARM - vi /opt/tomcat/diamond-
resources/local/systemparm.properties
VAULTSERVICESDIR - cd /opt/tomcat/VaultServices/
VAULTSERVICESLOG - less /opt/tomcat/VaultServices/Casos.Debug.log
CASOSSERVICESDIR - cd /opt/tomcat/CasosServices
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.
CyberArk Privileged Access Security – Administration
3/21/2022
© Cyber-Ark® Software Ltd - No part of this material may be disclosed to any person or firm or reproduced by any means, electronic and
mechanical, without the express prior written permission of Cyber-Ark® Software Ltd.