Knowledge base
Knowledge base
Breadcrumbs

Thycotic

Last updated: 2020-11-17



Purpose

This article provides set up information on the Thycotic integration.

Introduction

The Thycotic integration enables secure retrieval of privileged credentials from a Thycotic Secret Server vault to support authenticated scanning workflows. By configuring the connection to your Thycotic instance and referencing stored secrets when setting up SSH or SMB authentication on targets or in scan policies, the vulnerability scanner can leverage centrally managed credentials rather than storing them directly in the platform. This integration improves credential lifecycle control, reduces exposure of sensitive login data, and aligns authenticated scans with enterprise-grade privileged access management practices.

Thycotic authentication can be configured on the scan policy, on the target or on the target group.

Set Up Thycotic Integration in OUTSCAN or HIAB

To set up Thycotic in OUTSCAN or HIAB:

  1. Go to Main Menu > Settings > Integrations.

  2. Select the Thycotic tab.

    thycotic1.jpg


  3. Configure Thycotic Sever:

Option

Description

Enabled

Click on this field to enable Thycotic.

Name

Provide a name for this configuration. 

URI

Provide your Thycotic Secret server URI.

User

Provide your Thycotic user name.

Password

Provide your Thycotic password.

Organization (optional)

Provide the name of the organization that should be queried in a Thycotic Cloud setup. 

Tenant (optional)

Provide the tenant for Thycotic Cloud setup.

Ignore certificate validation

It is recommended to leave this box unchecked. Check this box only when there is no trusted certificate available.

Test Authentication

Click on this button to test the authentication status.

Add

Click to add the configuration settings.


  1. Click Save.

After enabling Thycotic, the authentication can be configured on a target, target group, or a scan policy.

Target / Target Group

  1. Go to Main Menu > Netsec > Manage Targets.

    1. Target: Edit a target to setup the Authentication

    2. Target Group: Right-click on a group and select Set Target Authentication

  2. Select Thycotic SMB or Thycotic SSH from the drop-down list, to use the respective authentication.
       

    Thycotic SSH

       

    Thycotic SMB

                                                                     

  3. Fill in the Credentials:

Option

Description

Thycotic Config

Select the config from the drop-down list.

Secret name

Provide the name of the Secret. 

When the user provides a phrase, it searches for the name matching the given phrase. The first name matched is used. ${IP} will get replaced by the target IP.  ${HOSTNAME} will get replaced by the host name of the target.

Override path

Provide a new path to cancel using the existing path.

SSH substitute user command

The use of the following commands is to execute commands with a different user/privilege escalation.

  1. sudo: This command is found in most of the Linux based systems (or can be installed). Used to execute commands as a different user (other than the one used to log in). From the tools perspective, it uses root account to perform the commands.

  2. doas: It is an OpenBSD based command. 95% of its features are like sudo. https://man.openbsd.org/doas

  3. sesu: It is an IBM implementation of su.

  4. dzdo: Used in Linux/Unix (can be installed at will). An alternative to sudo.

  5. pfexec: Mostly used in Solaris.

  6. custom: It gives a flexibility to use a custom defined privilege escalation command. 

SSH custom user command

This field is available when the user selects custom in the SSH substitute user command field. Add a custom command for escalating privilege.

SMB allow NTLMv1

Check this box to enable the authentication using NTLMv1.

Enable remote registry

If enabled, the scanner initiates the Remote Registry service with the given details. Disable the service when the scan is finished.

  1. Click Test to start a verification.

  2. Click Save to enable the current settings.

Scan Policy

  1. Go to Main Menu > Netsec > Scan Scheduling > Scan Policy.

  2. Edit a scan policy to setup the Authentication. Under SMB and SSH tabs, Thycotic SSH and Thycotic SMB are now visible as new options.

  3. Click on any of the options to use the respective authentication.

    Maintaining Scanning Policy - Thycotic SSH

      

    Maintaining Scanning Policy - Thycotic SMB


  4. Provide your Credentials:

Option

Description

Thycotic Config

Select the config from the drop-down list.

Secret name

Provide the name of the Secret. 

When the user provides a phrase, it searches for the name matching the given phrase. The first name matched is used. ${IP} will get replaced by the target IP.  ${HOSTNAME} will get replaced by the host name of the target.

Override path

Provide a new path to cancel using the existing path. 

SSH substitute user command

The use of the following commands is to execute commands with a different user/privilege escalation.

  1. sudo: This command is found in most of the Linux based systems (or can be installed). Used to execute commands as a different user (other than the one used to log in). From the tools perspective, it uses root account to perform the commands.

  2. doas: It is an OpenBSD based command. 95% of its features are like sudo. https://man.openbsd.org/doas

  3. sesu: It is an IBM implementation of su.

  4. dzdo: Used in Linux/Unix (can be installed at will). An alternative to sudo.

  5. pfexec: Mostly used in Solaris.

  6. custom: It gives a flexibility to use a custom defined privilege escalation command. 

SSH custom user command

This field is available when the user selects custom in the SSH substitute user command field. Add a custom command for escalating privilege.

SMB allow NTLMv1

Check this box to enable the authentication using NTLMv1.

Enable remote registry

If enabled, the scanner initiates the Remote Registry service with the given details. Disable the service when the scan is finished

  1. To start verification, provide the target IP or Hostname and click on Test Credentials.

  2. Click Save to enable the current settings.