Finding Exploitable Admin Systems
A “How To” Guide for SecurityCenter
Exploitable Admin Systems
• If the hosts used to administer the network are vulnerable, then a malicious entity can exploit them to compromise the entire network!
•How can SecurityCenter be used to find hosts that are used to administer other systems AND that also have exploitable vulnerabilities?
Find Administrative Systems
•Plugin 800041, User Source Summaryo Plugin output gives list of user accounts that have
logged into remote systems from this host o If output contains 'root', 'Administrator', or another
Windows management account name, then it is likely that this host was used to administer other systems on the network
Find Administrative Systems
•Use dynamic asset: Admin Systemso Available in feed by selecting category Collected
Data, and then selecting tags admin or root
Find Administrative Systems
• If the Windows management account has been renamed from ‘Administrator’ to something else, text search clauses can be added in the asset.
Find Exploitable Systems
•Hosts that for at least one vulnerability detected, plugin text indicates that an exploit is available for the vulnerability, or that an exploit framework (such as Metasploit) can exploit the vulnerability.
Find Exploitable Systems
•Use dynamic asset: Exploitable (Generic)o Available in feed by selecting category
Vulnerabilities, and then selecting tag exploitable
Find Exploitable Admin Systems
•Now use a combination asset to find systems that are both administrative AND exploitable
Find Exploitable Admin Systems
•This new combination asset can be used in dashboards and reports, to display for example:
o Top vulnerabilities on admin systems (Vulnerability Summary)o Top exploitable admin systems (IP Summary)o Top remediations for admin systems (Remediation Summary)o And more!
Combination Assets
•Combination assets (assets of assets) can be used to locate systems that belong to both one group AND another group, or that belong to one group OR another group
o For example, the Exploitable (Generic) asset could be combined with other dynamic assets to find the systems in those groups that are exploitable
•Combination assets are dynamically updated, so any network changes are immediately reflected
For Questions ContactTenable Customer Support Portal