Scan Types

Owned by Ryan Seymour, created
Last updated: Oct 02, 2024
5 min read

This document will cover the various scan types that can be initiated in V4 and provide some helpful insight into troubleshooting common issues for failed scans.

V4 Scan Types - Table of Contents

V4 Scan Types

SCAN DATA

Vulnerability

Asset Discovery

SNMP

Active Directory

Compliance

PII

SCAN DATA

Vulnerability

Asset Discovery

SNMP

Active Directory

Compliance

PII

SCAN TYPE

 

 

 

 

 

 

Full

Yes

Yes

Yes

Yes

Yes

No

Network

Yes

Yes

Yes

No

No

No

Active Directory

Yes

Yes

No

Yes

No

No

Firewall

Yes

No

No

No

No

No

PII

No

No

No

No

No

Yes

External

Yes

No

No

No

No

No

Compliance

No

No

No

No

Yes

No

Attack Surface Mapper

Yes

No

No

No

No

No

Full Scan (Probe Scan)

The Full Scan initiates Asset Discovery, Vulnerability, SNMP, Firewall, and Active Directory Scans using configured parameters under Discovery Settings and Credentials.

Full Scan is achieved using the Probe Agent, not the Lightweight Agent.

The following methods are used to communicate with assets:

Windows

It attempts to use the Admin SMB (Admin$) share to send a small executable called the Dissolvable Agent, which then runs on the remote machine to fetch the details. It probes the shares using standard SMB tools and does an NFS discovery to check any NFS shares.

Active Directory

It uses LDAP to query the users and groups from the Credentials provided during the AD setup in the AD/Master credentials. It runs PowerShell commands to figure out GPOs, Security Groups, and Memberships of the Groups.

Linux

It uses SSH credentials to log into the asset and determine what processes run using Linux commands.

Network Devices

It uses SNMP to discover the SysObjectID, look up the device's version, and query vulnerabilities for that version. It also connects to OEM APIs to get vulnerability details.

Active Directory Scan

To use this scan with your Probe agents, you need to configure the Active Directory Credentials associated with your Probe. If SMB is available, we use a dissolvable agent, creating PowerShell in memory to execute. If SMB is unavailable, we use LDAP directly without the PowerShell scripts.

Active Directory Scan Method

  1. A vulnerability scan is performed on the computers detected during the Active Directory scan.

  2. If any of the Active Directory computers have a Lightweight Agent installed, the asset will be skipped as it is being scanned by the Lightweight agent locally.

  3. The scan utilizes NMAP device discovery on the remaining computers.

Active Directory Prerequisite

Enable Audit Events - To perform an Active Directory Audit on a Domain Controller, it is essential first to enable Audit Events. Once enabled, the ConnectSecure Scan Agent will read the Audit Events every 15 minutes and push those updates to your ConnectSecure portal.

Verify Enabled Audit Events - To verify which Audit Events are currently enabled, you can run the following command:

>> auditpol /get /category:*

^ This command will list all Audit Categories and their current status.

Create a “ .bat ” file and add the below lines based on user audit requirements, or the user can run individual commands to enable audit events.

To Enable the audit events, use the command given below:

(Ex: AUDITPOL /SET /SUBCATEGORY:"Security State Change" /SUCCESS:ENABLE )

@echo OFF

Rem Enable Security System Extension

echo Enabling "Security System Extension"

AUDITPOL /SET /SUBCATEGORY:"Security System Extension" /SUCCESS: ENABLE 

echo Enabling "Security State Change"

AUDITPOL /SET /SUBCATEGORY:"Security State Change" /SUCCESS:ENABLE 

AUDITPOL /SET /SUBCATEGORY:"Logon" /SUCCESS:ENABLE /FAILURE:ENABLE

AUDITPOL /SET /SUBCATEGORY:"Logoff" /SUCCESS:ENABLE

AUDITPOL /SET /SUBCATEGORY:"Other Logon/Logoff Events" /SUCCESS:ENABLE

AUDITPOL /SET /SUBCATEGORY:"Network Policy Server" /SUCCESS:ENABLE /FAILURE:ENABLE

AUDITPOL /SET /SUBCATEGORY:"Application Generated" /SUCCESS:ENABLE /FAILURE:ENABLE

AUDITPOL /SET /SUBCATEGORY:"Other Object Access Events" /SUCCESS:ENABLE 

AUDITPOL /SET /SUBCATEGORY:"Process Creation" /SUCCESS:ENABLE 

AUDITPOL /SET /SUBCATEGORY:"Process Termination" /SUCCESS:ENABLE 

AUDITPOL /SET /SUBCATEGORY:"Authentication Policy Change" /SUCCESS:ENABLE 

AUDITPOL /SET /SUBCATEGORY:"Authorization Policy Change" /SUCCESS:ENABLE 

AUDITPOL /SET /SUBCATEGORY:"User Account Management" /SUCCESS:ENABLE /FAILURE:ENABLE

AUDITPOL /SET /SUBCATEGORY:"Computer Account Management" /SUCCESS:ENABLE 

AUDITPOL /SET /SUBCATEGORY:"Security Group Management" /SUCCESS:ENABLE 

AUDITPOL /SET /SUBCATEGORY:"Distribution Group Management" /SUCCESS:ENABLE 

AUDITPOL /SET /SUBCATEGORY:"Directory Service Changes" /SUCCESS:ENABLE 

AUDITPOL /SET /SUBCATEGORY:"Directory Service Access" /SUCCESS:ENABLE 

AUDITPOL /SET /SUBCATEGORY:"Other Account Logon Events" /SUCCESS:ENABLE /FAILURE:ENABLE

AUDITPOL /SET /SUBCATEGORY:"Kerberos Authentication Service" /SUCCESS:ENABLE /FAILURE:ENABLE

Compliance Scan

A compliance scan can be initiated for Compliance types (such as CIS, HIPAA, PCI-DSS, NIST-800-53, NISt-800-171, CyberEssentials, Essential 8, GDPR) set under settings at the company level or global level. Compliance scans assess adherence to a specific compliance framework. Compliance scans are built to locate and assess flaws in system hardening configurations for a specific framework.

SNMP Scan

The ConnectSecure Scan Agent detects and scans SNMP-enabled devices. It reads the SNMP description using the defined SNMP Credentials (from the Probe) and initiates a vulnerability scan automatically for supported network devices.

Vulnerability Scan

This scan helps you identify vulnerabilities based on the installed application and/or security updates. It uses the SMB protocol for scanning purposes. Sometimes, you may need to provide the credentials and/or user privileges to scan an asset.

Supported Operating Systems for Vulnerability Scanning in V4

Ubuntu 22.04 LTS

Jammy Jellyfish

Ubuntu 20.04 LTS

Focal Fossa

Ubuntu 18.04 LTS

Bionic Beaver

Ubuntu 16.04 LTS

Xenial Xerus

Ubuntu 14.04 LTS

Trusty Tahr

CENT OS

CentOS - 4

 

CentOS - 5

 

CentOS - 6

 

CentOS - 7

 

CentOS - 8

 

REDHAT LINUX OS

RHEL 4

Nahant

RHEL 5

Tikanga

RHEL 6

Santiago

RHEL 7

Maipo

RHEL 8

Ootpa

DEBIAN OS

Debian 7

Wheezy

Debian 8

Jessie

Debian 9

Stretch

Debian 10

Buster

Debian 11

Bullseye

MAC OS

OS X 10.9

Mavericks (Cabernet)

OS X 10.10

Yosemite (Syrah)

OS X 10.11

El Capitan (Gala)

macOS 10.12

Sierra (Fuji)

macOS 10.13

High Sierra (Lobo)

macOS 10.14

Mojave (Liberty)

macOS 10.15

Catalina (Jazz)

macOS 11

Big Sur (GoldenGate)

macOS 12

Monterey (Star)

macOS 13

Ventura

macOS 14

Sonoma

Microsoft Windows OS

 

 

Windows 10 (64-bit)

 

Windows 11 (64-bit)

 

Windows Server 2012 (64-bit)

 

Windows Server 2012 R2 (64-bit)

 

Windows Server 2016 (64-bit)

 

Windows Server 2019 (64-bit)

 

Windows Server 2022 (64-bit)

 

How To Initiate Scans in V4

Lightweight Agent Scans

The Lightweight Agent scan in V4 automatically runs every 15, 30, 60, 90, or 120 minutes, based on your LW Agent Scan Interval in the Global > Overview > Settings menu.

image-20240625-142745.png

Scheduler

You can use the Scheduler to configure automatic scan jobs to run. This is found under the Global > Assets > Scheduler menu.

image-20240131-201613.png

Tap on the ‘Add Scheduler' on your action toolbar.

Manual

  1. Overview > Agents = Tap on the Agents menu listed under Overview, use the checkbox to select single or multiple agents, then tap the Global Actions > Scan option.

You can tap the three-dot action menu on any single Agent and tap the Scan option.

  1. Assets > Assets = Tap on the Assets menu under the Assets section. You can select a single or multiple agents, then use the Scan Now icon on the action toolbar.

  1. Assets > Asset > Asset Details Screen = Tap on the IP address of any Asset to see the Asset Details view; use the Scan Now button on the action toolbar to scan that single asset.