DevTest - Mimikatz Module Execution Detected due to restart of IAM

book

Article ID: 194973

calendar_today

Updated On:

Products

CLOUDTEST CA Application Test CA Cloud Test Mobile MOBILECLOUD Service Virtualization

Issue/Introduction

Found Mimikatz Module Execution on server after a team member restarted DevTest Identity Access Manager Service.

Can you please confirm whether IAM can trigger Mimikatz Module Execution under any circumstance or not?

 

 

Environment

Release : 10.5

Component : CA Service Virtualization

Resolution

There is no internal call from the IAM component to the Mimikatz Module.

Now after getting more specific information related to the issue as mentioned below: 

It triggers because of the keyword “VAULT::”:

Diam.keystore.password=${VAULT::IAM::IAM_KEYSTORE_PASSWORD::1} –

Which is also the name of a mimikatz module to show the location of credentials:

I assume that Vault in this cases refers to a CyberArk vault, if so we can filter out of our detections.

"Iam.keystore.password configuration is part of JBoss server configuration. Typically, passwords are made available to JBoss services by their inclusion in configuration files. All JBoss configuration files should be stored on secure file systems and should be readable by the JBoss Application Server process owner only. To provide passwords as encrypted text in the JBoss server configuration files, we have utilized JBoss server vault to store passwords that are being used in the IAM configuration.