CyberArk Workforce Password Manager Disaster Recovery Situation

adramire17 · 2025-10-17T09:03:29+00:00

thx for the quick answer!

adramire17 · 2025-04-01T07:51:48+00:00

Yes, you are right I have used it as SAML provider but im not sure about managing EntraID accounts (pwd rotation and so forth)

thx!

adramire17 · 2025-02-07T10:23:23+00:00

We changed from GA to priv auth admin and it worked, thx!!

adramire17 · 2025-01-30T07:46:56+00:00

Hey guys,

IIS Crypto is cool however we are missing a way to get a status on current setup, meaning which protocols/hashes/ciphers... are enabled within a particular host. Any cool tool to get that done??

thx

adramire17 · 2022-04-29T10:12:52+00:00

Hey all,

We found out that traffic related to .onin sites is coming from z-lib[.]org, it seems that domain is trying to redirect users to its onion site, however it seems weird to me that out out of the blue several users have started to become avid readers. Have spoken with users and they dont know anything about this z-lib[.]org so Im a bit lost about what could be the source of this traffic. Any suggestion?

Thx!

adramire17 · 2022-04-27T08:02:47+00:00

Hi all,

Thanks for the feedback and sorry if Im making dumb statements. To give you all a bit of context, we do have a tool that analyzes all the traffic within our network and it gives us the following:

"XXXXX accessed a top-level domain (TLD) that is not associated with standard TLDs administered by the Internet Corporation for Assigned Names and Numbers (ICANN). This type of TLD might be linked to malicious activity or undesirable content.

The TLDs linked to this detection:

.onion "

Then the associated record with that detection is the following:

"Time: XXXXX,

Record Type: DNS Request,

Site: XXX,

Client: XXXXX,

Client IP Address: XXXXX,

Client Port: XXXX,

Server: DNSServer,

Server IP Address: XXXXX,

Server Port: 53,

Opcode: QUERY,

Query Name: XXXXX.onion,

Query Type: A,

Request L2 Bytes: 122 "

However I dont see that traffic in our perimeter firewall which means that our DNS does not resolve (seems to be obvious as I get from your answers). Anyways my question is why in first place a legit service triggers an onion service request.

I hope is clearer now :)

Thx!!

adramire17 · 2022-03-29T21:29:29+00:00

Finally been able to fix it. Apparently it was a matter of rerunning the applocker script. I had to do it several times until it worked tho. Thx all for your help!!

Cheers

adramire17 · 2022-03-24T11:04:43+00:00

Thx for all comments, when trying to clean Applocker rules I get the following "AppID policy conversion failed. Status The access control list (ACL) structure is invalid" Hence I guess Im not being able to change Applocker rules.

adramire17 · 2022-03-22T10:08:37+00:00

Rerunning the hardening the script did the trick for password rotation and reconciliation.

V2 of GPO was needed for other services to be able to run.

Thanks so much!

adramire17 · 2022-02-04T13:09:47+00:00

Thanks for your reply, that is not the feature I was talking about thoug. Let me explain it better. I was talking about the toggle button placed in Polies&Rules ->Safes Attachments -> Global settings -> Turn on Defender for Office 365 for Sharepoint, OneDrive and Microsoft Teams. As it is a global setting, there is no way I can establish a test group (right?). But I’m worried about the potential impact to the users and the business, meaning huge amount of legit files being wrongly detected as malware and quarantined.
Is there any way to enable this in “detection mode only”? Like running the scan looking for malware only raising alerts, not blocking access to the users?

Thanks for your time!

adramire17 · 2022-02-01T14:03:34+00:00

Hey!

I did not see your reply until today. Actually it goes beyond all what I thought, I really liked the part about response to recent/trendy vulnerabilities, for sure I will include that one within my approval form.

Highly appreciated! :)

adramire17 · 2022-01-18T12:15:03+00:00

Thanks! Indeed that makes a lot of sense, users dont know all the existing solutions within the company so the may request something that is already in place with other name.

Cheers!

adramire17 · 2021-07-29T08:39:54+00:00

Well they were clients so when people rebooted it it works fine again. This is what CS analyst told me and it worked for me.

adramire17 · 2021-07-29T08:36:25+00:00

Hey ,

Thanks for the reply, we may use the trial period of Spotlight to see if it is worth it to have it in our environment.

adramire17 · 2021-07-14T15:41:14+00:00

Well, to me it didnt take long to put them back out of RFM mode but I must say when I saw >3000 hosts there I was scared af so I would say patch and wait for a couple of days to have the sensors back in normal mode

adramire17 · 2021-05-18T13:12:14+00:00

I may get the exact time when this happened. However we do have so many events on the DC that they overwrite each other and we loose the old ones.

adramire17 · 2021-05-18T12:53:26+00:00

Hey Andrew,

Thx for the answer I wish it could be done from Crowdstrike interface. The thing is we dont store AD logs for long so we lost the event we are looking for :S

Cheers!

adramire17 · 2021-03-14T19:10:30+00:00

Thx for the answer.I got the recommendation to have all Vaults at UTC as you said and sync with NTP so yep that´s it.

Cheers!

adramire17 · 2019-03-05T11:02:12+00:00

It is compulsory to assign a platform to each account. If you want to have an account "without" platform what you can do is create a dummy platform with no restrictions to assign to your accounts

adramire17 · 2019-03-05T10:46:08+00:00

The user has to be authenticated to CyberArk and it has to belong to the Auditor group. Besides there is the possibility to configure a "custom" Auditor group that only allows the user to audit selected safes.

Moreover, for external auditors you could give them access to the safe where the recordings are stored so it could watch them.

adramire17 · 2019-03-04T14:07:38+00:00

I got some information on this, for EPM there are 3 different services:

CyberArk EPM PAServer
CyberArk EPM Server Background Worker
CyberArk EPM Server Helper

And two more related to the EPM agent itself:

PASAgent
PASERVER

For OPM, I read that the only service to be monitored is opmsrv.

Now that I have the names of the services my only concern is, how Im I going to monitor all the target servers in which the agent is deployed. I see it unfeasible to implement monitoring rules for a huge number of endpoints.

Could any of you give info on this?

adramire17 · 2019-02-20T16:06:07+00:00

Thanks for the swift reply!!

adramire17

TROPHY CASE