Thycotic Secret Server Credentials
Service Name: Thycotic Secret Server
Service Description: Thycotic Secret Server is a privileged account management (PAM) solution that helps organizations secure, manage, and audit privileged account credentials. It provides a centralized vault for storing and controlling access to sensitive credentials, including passwords, SSH keys, and API keys.
Service Address: https://thycotic.com/products/secret-server/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the Secret Server level through security settings and access policies.
Secret Access Scope: Grants access to the Thycotic Secret Server platform, allowing users to retrieve, manage, and use privileged credentials stored within the vault based on their assigned permissions.
Secret Revokement URL: https://docs.thycotic.com/ss/11.1.0/api-scripting/webservices/api-user-management
Secret Example: username=admin&password=Th3S3cr3tP@55w0rd!&domain=DOMAIN
Suspicious Activity Investigation Instructions:
- Review Secret Server audit logs for unusual access patterns or credential retrievals
- Check for unauthorized access attempts or successful logins from unusual locations
- Monitor for mass secret access or downloads outside normal usage patterns
- Verify if any secret policies or permissions have been modified unexpectedly
- Examine API usage logs for unusual automation or scripting activities
Mitigation Instructions:
- Immediately rotate the compromised Secret Server credentials
- Revoke the affected user's session through the Secret Server admin console
- Update the user's authentication requirements (enforce MFA if not already
enabled)
- Review and restrict the user's role permissions if necessary
- Consider implementing IP restrictions for administrative access
- Audit all secrets that may have been accessed by the compromised account
- Force rotation of any potentially exposed secrets
- Review Secret Server security settings and access policies