Found Mimikatz Module Execution on server after a team member restarted DevTest Identity Access Manager Service.
Can you please confirm whether IAM can trigger Mimikatz Module Execution under any circumstance or not?
Release : 10.5
Component : CA Service Virtualization
There is no internal call from the IAM component to the Mimikatz Module.
Now after getting more specific information related to the issue as mentioned below:
It triggers because of the keyword “VAULT::”:
Diam.keystore.password=${VAULT::IAM::IAM_KEYSTORE_PASSWORD::1} –
Which is also the name of a mimikatz module to show the location of credentials:
I assume that Vault in this cases refers to a CyberArk vault, if so we can filter out of our detections.
"Iam.keystore.password configuration is part of JBoss server configuration. Typically, passwords are made available to JBoss services by their inclusion in configuration files. All JBoss configuration files should be stored on secure file systems and should be readable by the JBoss Application Server process owner only. To provide passwords as encrypted text in the JBoss server configuration files, we have utilized JBoss server vault to store passwords that are being used in the IAM configuration.