Iraje PAM command Line Bypass manual version 7.5

Introduction

A user can access windows terminal server in different ways. Most commonly used among them is the MSTSC to do RDP to a windows server. Other mechanisms are also there to login to a Windows server for direct access:

  • RDP

  • Psexec

  • PowerShell

  • WMI

  • SMB

  • Run Application as different user

These other methods are remote command line options to access Windows devices. These methods are generally hidden ways to access a Windows devices bypassing PAM.

Iraje Agent detects an unauthorised access if the terminal Windows server is accessed from any of the above methods.

Purpose

This capability is new to PAM Market and an innovation from Iraje

This module gives visibility on the breaches done by users in accessing Windows devices through unauthorized ways. This is extremely important capability to detect such bypasses on Windows devices.

Target Audience

Auditors, Risk Managers, IT Security Teams

Workflow for PAM CLI Agent installation

Step 1: To Install the Iraje Agent PAM user needs to double click or need to right click on Iraje agent setup file & ‘run as admin’

Step 2: Click on ‘Next’ Button

Step 3: Click on ‘Next’ Button

Step 4: It will prompt for Primary and Active / HA node IP address

Step 5: Enter the ‘Primary & Active / HA node 'IP Address’ and Click on ‘Next’ Button

Step 6: Click on ‘Next’ Button

Step 7: After the successful installation, a pop-up regarding installation completion will appear

Step 8: After the successful installation the agent status is shown in the ‘Agent Summary’ report

Alert on PAM Bypass

Iraje PAM tracks all activity of privileged accounts within the organization. The addition of a PAM solution to your current security measures will allow you to manage passwords and applications. By being able to do these types of tasks more efficiently, privileged account users can help you prevent unapproved access to your system.

Iraje PAM sets up alerts to let client know when there is an unauthorized access attempt, so that they may investigate the reason. These alerts can help to stop hackers from gaining access to a secure or confidential system. Many secure systems may also lock an account that had too many failed login attempts.

When someone gains access to the servers using someone else's account or other methods, for example, if someone kept guessing a password or username for an account that was not theirs until they gained access, it is considered as an unauthorized access.

Iraje PAM Agent is deployed on the target Windows servers. It will notify the client about the incident and provide them with more detailed information via Email or SMS.

Bypassing Iraje PAM - Using 'Source' System

Following are steps where Admin can access the system:

  • A user will access the terminal server from the source system.

  • A source system can be a workstation / any terminal server.

  • In our scenario a user is accessing the terminal server from the source system.

Step 1: A user is accessing the terminal server i.e. 172.16.1.185 from source system i.e. 172.16.1.169

Step 2: Enter the ‘Username’ & ‘Password’ of the target device

Step 3: After entering the server credentials, User gets the terminal server access

Step 4: An alert has been trigged also the incident data has been entered in the ‘Unauthorized Access’ report

Bypassing Iraje PAM - Using Terminal Server 'Localhost'

Following are steps where Admin can access the system:

  • A user will access the terminal server from the same terminal system.

  • A source system will be terminal server itself.

  • In our scenario a user is accessing the terminal server from the terminal system using localhost RDP.

  • Below are the details of PAM / Terminal & source system.

Step 1: User enter the IP i.e. localhost from the terminal server itself

Step 2: A User need to enter the server ‘Username’ & ‘Password’

Step 3: Once the credentials are entered, user will get the terminal server access

Step 4: An alert has been trigged also the incident data has been entered in the ‘Unauthorized Access’ report

Bypassing Iraje PAM - Using ‘Run Application as Different User'

Following are steps where Admin can access the system

  • A user logs on into the system using one username & run the application using different username name

  • In our scenario user is login into system using user 1 id & running the server manager application using the different user id i.e. user 3

Step 1: User needs to access the ‘Server Manager’ application and ‘Run as different user’ module

Step 2: It will prompt for ‘Username’ & ‘Password’

Step 3: User will enter the credentials of the different user

Step 4: User will get the access of the application after the successful authentication

Step 5: An alert has been trigged also the incident data has been entered in the ‘Unauthorized access’ report

By passing Iraje PAM - Using 'PS exec tool' from Source system

Following are steps where Admin can access the system

  • A user will access the terminal server from the source system using PS exec tools

  • A source system can be workstation / terminal server

  • In our scenario a user is accessing the terminal server from the workstation using PS exec tools.

Step 1: A user is accessing the terminal server i.e. 172.16.185 from the source system i.e. 172.16.1.169 using PS exec Tools

Step 2: An alert has been trigged also the incident data has been entered in the ‘Unauthorized Access’ report

Step 3: A user is accessing the terminal server i.e. 172.16.185 from the source system i.e. 172.16.1.169 using PS exec Tools but the user id which user is using doesn’t have the access rights to access the terminal server using ps exec remotely

Step 4: An alert has been trigged also the incident data has been entered in the ‘Unauthorized Access’ report

Bypassing Iraje PAM - Using 'SMB 'Network Share

Following are steps where Admin can access the system

  • A user will access the terminal server drive using SMB network share from source system.

  • A source system can be workstation / terminal server.

  • In our scenario a user is accessing the terminal server drive from the workstation using map network drive.

Step 1: A user is connecting the drive of the terminal server using map network drive

Step 2: A user will enter the details for map network drive

Step 3: User will enter the share path

Step 4: User will enter the credentials of the terminal server

Step 5: Terminal server drive will now be visible to the user in his/her workstation

Step 6: An alert has been trigged also the incident data has been entered in the ‘Unauthorized Access’ report

By passing Iraje PAM - Using ‘WMI Client' from Source system

Following are steps where Admin can access the system

  • A user will access the terminal server drive using SMB network share from source system

  • A source system can be workstation / terminal server

  • In our scenario a user is accessing the terminal server services from the workstation using windows services module

  • Below are the details of PAM / Terminal & source system

Step 1: User is accessing the service of terminal server i.e. 172.16.1.173 from source system i.e. 172.16.1.172

Step 2: User will click on connect to another computer

Step 3: User will enter the ‘Terminal server IP Address’

Step 4: User will get the access of the terminal server services

Step 5: An alert has been trigged also the incident data has been entered in the ‘Unauthorized Access’ report

Bypassing Iraje PAM - Using 'PowerShell' from Source system

Following are steps where Admin can access the system

  • A user will access the terminal server from user source system using PowerShell cmd

  • A source system can be workstation / terminal server

  • In our scenario a user is accessing the terminal server services from the workstation using windows services module

  • Below are the details of PAM / Terminal & source system

Step 1: User is entering the PowerShell cmd to connect the terminal server

Step 2: User Needs to enter the ‘Password’ of the terminal server

Step 3: User will able to connect after entering the valid credentials

Step 4: An alert has been trigged also the incident data has been entered in the ‘Unauthorized Access’ report

Iraje Agent Report

Agent Reports are critical to security to identify the outliers who are bypassing PAM solution to take direct access on the critical assets. This is to identify the people violating security policies of the organization. This is one of the most critical reports for the Audit and Compliance of the organization.

Iraje agent has 3 types of reports:

  • Agent summary

  • Agent Tampered

  • Unauthorized Access

Step 1: To access Reports module, click on ‘Reports’

Step 2: Click on ‘Agent Report’

Step 3: Once the user clicks on Agent Reports, he/she will now be able to view ‘Agent Tampered /Summary /Unauthorized Access Reports’

Agent Summary Report

This report displays the list of devices on which the Iraje PAM agent has been installed

Unauthorized Access

This report displays the list of user ID which has been bypassed Iraje PAM

Agent Tampered

This report displays the list of terminal devices on which the Iraje agent services has been tampered