How to discover service-associated credentials

Prev Next

This document provides information on how to discover service-associated credentials. Segura® Platform can identify credentials used by running Windows services.

Requirements

To ensure the correct functioning of the credential search functionality associated with Windows services, you must meet the following requirements:

  • A device discovery must be configured to find credentials.
  • At least one local credential must be identified during the scan to enable the service search.
  • The target machine must have an active connection via WinRM to find the credentials associated with the services.
  • The target machine must have Powershell installed, and the credential used in the search must be authorized to access the Win32_Service records and perform queries.
Info

This feature can’t discover credentials associated with domain accounts.

Discover service-associated credentials

To configure the discovery of credentials associated with Windows services, see the following steps:

  1. On Segura® Platform, in the navigation bar, hover over the Products menu and select Discovery.
  2. In the side menu, select Management > Discovery.
  3. In the Discovery report, click Add.
  4. Select Device as the discovery type.
  5. In the Settings tab, enter the following information:
    1. In the Name * field, enter a name for the discovery.
    2. Optional: In the Enable origin-based segregation (IP range) field, toggle to enable origin-based segregation. Make sure to have an IP segregation configured; otherwise, this field won’t work.
    3. In the Initial IP * field, enter the starting IP of the range.
    4. Optional: In the Final IP field, enter the final IP of the range.
    5. Optional: In the Site field, enter the site where your device is located.
    6. In the Enabled * field, select Yes or No to enable or disable the discovery.
  6. Click Continue.
  7. In the Connection tab, enter the following information:
    1. In the Access credential field, select a credential.
    2. Optional: In the Network Connector field, select the network connector responsible for performing the scan.
    3. Optional: In the Configuration password (ex: enable) field, enter the configuration password for devices such as switches.
    4. Optional: In the Force sudo use field, enable to force the commands to run with sudo on Linux or Unix.
    5. Optional: In the Pool of credentials section, click + Add to select the pool of credentials.
      1. Select the pool and click Add.
  8. Click Continue.
  9. In the Searches tab, select the following information:
    1. In the Search for credentials field, select to discover credentials.
    2. In the Identify Windows accounts associated with a service field, select to discover Windows credentials associated with services.
  10. Click Continue.
  11. In the Plugin Information tab, select the following information:
    1. In the Plugins for discovery section, click + Add to select the plugins used for discovery.
      1. Select the Windows plugin, use the default port or change it to a different port.
  12. Click Continue.
  13. Optional: In the Execution tab, enter the following information:
    1. In the Keep scan active after import? * field, select to keep the discovery looking for new credentials after the first import.
    2. In the Days allowed for execution section, select when the discovery will run.
    3. In the Periods allowed for execution section, select at what times the discovery will run.
    4. In the Interval between executions (in hours) * field, select the interval between each scan of the discovery.
  14. Click Continue.
  15. Optional: In the Import tab, enter the following information:
    1. In the Enable automatic importation of devices and credentials? * field, toggle it to enable automatic importation of devices and credentials directly into PAM Core.
    2. In the Credential import section, click + Add to enter the credentials’ username to be imported automatically.
  16. Click Continue.
  17. In the Review tab, review all information entered previously and click Save.

View service-associated credentials

After the discovery is completed, it’s possible to view the credentials associated with services in a report. See the following steps:

  1. On Segura® Platform, in the navigation bar, hover over the Products menu and select Discovery.
  2. In the side menu, select Discoveries > Services.
  3. In the Device services report, fill in the search fields with the required information to locate the desired credential.