February 29, 2024

Understanding CyberArk CPM

Understanding CyberArk CPM

Leave a Comment /

The CPM is installed on a Windows system as an automatic system service called CyberArk Password Manager.

 It can be stopped and started through the standard Windows service management tools.

 

One-time password, exclusive & allow manual change:

– Account is locked when retrieved.

– If user releases manually, the account is set for ResetImmediately=ChangeTask and the CPM will change the password based on the immediate interval.

– If the user doesn’t release manually, CPM will release the account and change the password once the MinValidityPeriod has passed.

 

Exclusive & allow manual change (without one-time password):
– Account is locked when retrieved.

– If user released manually, we set the account for ResetImmediately=ChangeTask and the CPM will change the password based on the immediate interval.

– If the user doesn’t release manually the account will stay locked.

 

Exclusive & one-time password (without allow manual change):

– Account is locked when retrieved.

– If user released manually, the password won’t change.

– If the user didn’t release manually the account will be released in the One-time Password cycle.

 

Exclusive (without one-time password & allow manual change):

– Account is locked when retrieved.

– CPM will never change the password (if you think you are in this mode, but your password changes, you should uncheck AllowManualChange)


One-time password & allow manual change (without exclusive):

– Account is NOT locked when retrieved 

– The password WILL change by minValidityTime because we count the time from the last time it was used (not locked) lock. If the policy is set to periodic change, the password will also change in the periodic cycle.

– If the policy is set to periodic change, the password will change in the periodic cycle.

 

One-time password (without exclusive & allow manual change):

– Account is NOT locked when retrieved.

– The password will NOT change by MinValidityPeriod because the one-time change requires AllowManualChange to be set to “yes”. The account will be found, but ignored (see logs).

– If the policy is set to periodic change, the password will change in the periodic cycle.

 

Without exclusive, one-time password & allow manual change:

– Account is NOT locked when retrieved.

– The password will NOT change by MinValidityPeriod because both one-time passwords and AllowManualChange are off.

– If the policy is set to periodic change, the password will change in the periodic cycle.

 

Notes:

  • Any changes to the master policy settings require the refresh interval of the CPM to pass or a restart of the Cyber Ark Password Manager Service

  • Also, check that the PasswordManagerUser has “unlock user” permissions.

The CPM generates unique and highly secure passwords using the password policy and the random password generation mechanism. So, generally, passwords that are managed by the CPM do not require manual intervention.

Passwords are changed by the CPM in the following scenarios:

Scenario

Description

Password expired

The expiration period is configured in the Master Policy using the Require password change every X days rule.

For details, see Require password change every X days.

Request timeframe

A user requests to connect to an account or display a password (dual-control) for a certain timeframe, and that request is approved.

Once the timeframe expires, the password is changed (if the user already released the account, it is changed upon release).

Manual initiation

If the account is managed by the CPM, when the user clicks Change, an immediate change CPM operation is initiated.

One-time and exclusive passwords

Passwords that are defined as one-time passwords or that are configured for Exclusive Account mode are changed after every use. These are configured in the Master Policy with the Enforce one-time password access and the Enforce check-in/check-out exclusive access rules. These passwords are changed after accounts are checked-in manually or automatically after a minimum validity period defined in the Master Policy or based on the request timeframe.

Account groups

When the password of an account that is a member of a group is changed, the password values for the entire group are also changed.

Change password manually by user

 

You have the following options for changing the password:

Action

Description

Trigger the CPM to change the password

The account is managed by the CPMCPM changes the password in both the target machine and in the Vault .

You must have the following Safe member authorizations to initiate a password change:

  • Initiate CPM password management operations

Change the password manually only in the Vault .

You must have the following Safe member authorizations in the safe where the account is stored:

CACPM250E Operation on remote machine on password object safe: <Safe>, Folder: <Folder>,Object: <Object> failed (try #x) with the following error: Error in changepass to user <User> on domain <Domain> (\\Domain). (winRC=2245) The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements.”

Note: https://cyberark.my.site.com/s/article/00001601

The period between 2 password changes is shorter than  Minimum Password Age configuration in GPO

Update the security policy on the target machine or domain GPO

\Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy

gpedit.msc


 

The Minimum password age policy setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If Maximum password age is between 1 and 999 days, the minimum password age must be less than the maximum password age. If Maximum password age is set to 0, Minimum password age can be any value between 0 and 998 days.

This policy setting is supported on versions of Windows that are designated in the Applies To list at the beginning of this topic.

Additionally, you can associate a Reconcile account to the platform in order to override the Minimum Password Age by resetting the password.

Source link

Understanding CyberArk CPM Read More »

KnowBe4 YARA Rules for PhishER

KnowBe4 YARA Rules for PhishER

Leave a Comment / 

rule Automated_SoftwareEmails
{
  strings:
    $ = /(\n|\r)From:.{0,200}[Salesforce].{0,200}</ nocase
    $ = /(\n|\r)Subject:.{0,200}[Salesforce]/ nocase

    $ = /(\n|\r)From:.{0,200}[HubSpot].{0,200}</ nocase
    $ = /(\n|\r)Subject:.{0,200}[HubSpot]/ nocase

  condition:
    any of them
}

For this rule to work, you’ll need to replace the text in brackets (?? with brackets?? ) with the name of a software application.

CEO Fraud Rule

 a YARA rule that identifies potential CEO fraud attempts, 

rule CEO_Fraud
{
  strings:
    $FromEmail        = /From:.{0,20}\<[[email protected]]\>/ nocase
    $FromName	        = /From:.{0,20}[yourCEO].{0,20}<.{5,100}>/ nocase
    $FromNameEmail    = /From:.{0,20}[yourCEO].{0,20}\<[[email protected]]\>/ nocase

    $Reply            = /Reply-To:.{0,20}/ nocase
    $ReplyEmail       = /Reply-To:.{0,20}\<[[email protected]]\>/ nocase
    $ReplyName	      = /Reply-To:.{0,20}[yourCEO].{0,20}\</ nocase
    $ReplyNameEmail   = /Reply-To:.{0,20}[yourCEO].{0,20}\<[[email protected]]\>/ nocase

  condition:
    ($Reply and $FromNameEmail and not $ReplyNameEmail)
    or ($Reply and not $FromNameEmail and $ReplyNameEmail)
    or ($Reply and $FromEmail and not $ReplyEmail)
    or ($Reply and not $FromEmail and $ReplyEmail)
    or ($FromName and not $FromEmail)
    or ($ReplyName and not $ReplyNameEmail)
}

If you use this rule, you’ll need to replace each instance of the [[email protected]] placeholder with your CEO’s email address. You’ll also need to replace each instance of the [yourCEO] placeholder with your CEO’s name.

Internal Sender Rule

a YARA rule that identifies any email coming from your domain that is not a spoofed email

rule InternalSender
{
  strings:
	$a = /from:.{0,60}@domain.com/ nocase
	$b = /Return-Path:.{0,60}@domain.com/ nocase
	$c = "header.from=domain.com"
	$d = /Authentication-Results:.{0,20}spf=pass/ nocase
	
  condition:
    all of them
}

Note: If you use this rule, the email will need a matching sender domain in the headers and will need to pass your Sender Policy Framework (SPF) checks. This rule will not tag emails sent from your domain that do not require or pass your SPF checks. If you would like to tag the types of emails mentioned, remove the $d string. You can also remove the $c string.

KnowBe4 Training Emails Rule

  a YARA rule that detects all training notification emails from your KMSAT console

rule KnowBe4_TrainingEmails
{
  strings:
  $ = /Return-Path:.{0,50}psm.knowbe4.com>/ nocase
  $ = /Received:.{0,50}(147.160.167.\d{1,3})/ nocase
  $ = /Received:.{0,50}(23.21.109.197)/ nocase
  $ = /Received:.{0,50}(23.21.109.212)/ nocase
  $ = /Received:.{0,50}psm.knowbe4.com/ nocase

  condition:
    any of them
}

KnowBe4 Training Emails Rule

 a YARA rule that detects if a value is not present in a selected PhishER target (click to view)

rule notPresent
{
  strings:
    $a = "KnowBe4" nocase

  condition:
    (not $a) and (filesize > 0)
}

To use this rule, you’ll need to include the special variable filesize in your rule’s condition. The filesize variable checks if the target you selected is empty. This process is helpful if you receive an email with a plain text body and an HTML body since one type of body could be empty but the other body could contain your string. Without the filesize variable, the email could falsely match your notPresent rule.

Most Common Regular Expressions Table

A regular expression, or regex, is a sequence of characters that is used to identify a pattern in text strings. To learn about regular expressions that are often used in YARA rules for PhishER, see the table below. For more information about regular expressions, see YARA’s Writing YARA rules documentation.

Operators and Modifiers Description
\n

This regex is an escape sequence that looks for a new line. 
. This regex is a metacharacter that matches any character or symbol.
{n, m}

This regex is a quantifier that looks for a range of matches between a number of characters represented by n and m. This regex is used to identify matching segments of a string.

Note: You can use the {n,m} regex following any character. See the examples below:

  • 9{2,3}: This regex will match 99 or 999.
  • .{2,3}: This regex will match any two-character or three-character string.
| This regex is a metacharacter that indicates an alternation operator, similar to an OR operator. This regex looks for a match among multiple possible regular expressions.
* This regex is a quantifier that looks for zero or more matches.
? This regex is a quantifier that looks for zero or one match.

Escape Sequences

Escape Sequence Represents
\a Bell (alert)
\b Backspace
\f Form feed
\n New line
\r Carriage return
\t Horizontal tab
\v Vertical tab
\’ Single quotation mark
\” Double quotation mark
\\ Backslash
\? Literal question mark
\ ooo ASCII character in octal notation
\x hh ASCII character in hexadecimal notation
\x hhhh Unicode character in hexadecimal notation if this escape sequence is used in a wide-character constant or a Unicode string literal.

For example, WCHAR f = L'\x4e00' or WCHAR b[] = L"The Chinese character for one is \x4e00".
Metacharacter Description
^ Matches the starting position within the string. In line-based tools, it matches the starting position of any line.
. Matches any single character (many applications exclude newlines, and exactly which characters are considered newlines is flavor-, character-encoding-, and platform-specific, but it is safe to assume that the line feed character is included). Within POSIX bracket expressions, the dot character matches a literal dot. For example, a.c matches “abc”, etc., but [a.c] matches only “a”, “.”, or “c”.
[ ] A bracket expression. Matches a single character that is contained within the brackets. For example, [abc] matches “a”, “b”, or “c”. [a-z] specifies a range which matches any lowercase letter from “a” to “z”. These forms can be mixed: [abcx-z] matches “a”, “b”, “c”, “x”, “y”, or “z”, as does [a-cx-z].

The - character is treated as a literal character if it is the last or the first (after the ^, if present) character within the brackets: [abc-][-abc]. Backslash escapes are not allowed. The ] character can be included in a bracket expression if it is the first (after the ^) character: []abc].
[^ ] Matches a single character that is not contained within the brackets. For example, [^abc] matches any character other than “a”, “b”, or “c”. [^a-z] matches any single character that is not a lowercase letter from “a” to “z”. Likewise, literal characters and ranges can be mixed.
$ Matches the ending position of the string or the position just before a string-ending newline. In line-based tools, it matches the ending position of any line.
( ) Defines a marked subexpression. The string matched within the parentheses can be recalled later (see the next entry, \n). A marked subexpression is also called a block or capturing group. BRE mode requires \( \).
\n Matches what the nth marked subexpression matched, where n is a digit from 1 to 9. This construct is vaguely defined in the POSIX.2 standard. Some tools allow referencing more than nine capturing groups. Also known as a backreference. backreferences are only supported in BRE mode
* Matches the preceding element zero or more times. For example, ab*c matches “ac”, “abc”, “abbbc”, etc. [xyz]* matches “”, “x”, “y”, “z”, “zx”, “zyx”, “xyzzy”, and so on. (ab)* matches “”, “ab”, “abab”, “ababab”, and so on.
{m,n} Matches the preceding element at least m and not more than n times. For example, a{3,5} matches only “aaa”, “aaaa”, and “aaaaa”. This is not found in a few older instances of regexes. BRE mode requires \{m,n\}.

Examples:

  • .at matches any three-character string ending with “at”, including “hat”, “cat”, “bat”, “4at”, “#at” and ” at” (starting with a space).
  • [hc]at matches “hat” and “cat”.
  • [^b]at matches all strings matched by .at except “bat”.
  • [^hc]at matches all strings matched by .at other than “hat” and “cat”.
  • ^[hc]at matches “hat” and “cat”, but only at the beginning of the string or line.
  • [hc]at$ matches “hat” and “cat”, but only at the end of the string or line.
  • \[.\] matches any single character surrounded by “[” and “]” since the brackets are escaped, for example: “[a]”, “[b]”, “[7]”, “[@]”, “[]]”, and “[ ]” (bracket space bracket).
  • s.* matches s followed by zero or more characters, for example: “s”, “saw”, “seed”, “s3w96.7”, and “s6#h%(>>>m n mQ”.

POSIX extended[edit]

The meaning of metacharacters escaped with a backslash is reversed for some characters in the POSIX Extended Regular Expression (ERE) syntax. With this syntax, a backslash causes the metacharacter to be treated as a literal character. So, for example, \( \) is now ( ) and \{ \} is now { }. Additionally, support is removed for \n backreferences and the following metacharacters are added:

Metacharacter Description
? Matches the preceding element zero or one time. For example, ab?c matches only “ac” or “abc”.
+ Matches the preceding element one or more times. For example, ab+c matches “abc”, “abbc”, “abbbc”, and so on, but not “ac”.
| The choice (also known as alternation or set union) operator matches either the expression before or the expression after the operator. For example, abc|def matches “abc” or “def”.

Examples:

  • [hc]?at matches “at”, “hat”, and “cat”.
  • [hc]*at matches “at”, “hat”, “cat”, “hhat”, “chat”, “hcat”, “cchchat”, and so on.
  • [hc]+at matches “hat”, “cat”, “hhat”, “chat”, “hcat”, “cchchat”, and so on, but not “at”.
  • cat|dog matches “cat” or “dog”.

Source link

KnowBe4 YARA Rules for PhishER Read More »

Scroll to Top