Symantec Endpoint Threat Defense for Active Directory 3.6.1 Administration Guide Table of Contents Copyright statement.........................................................................................................................5 Introducing Symantec Endpoint Threat Defense for Active Directory...........................................6 About this guide............................................................................................................................................................. 6 About Symantec Endpoint Threat Defense for Active Directory................................................................................ 6 Capabilities of Threat Defense for AD...........................................................................................................................7 Architecture..................................................................................................................................................................... 7 Getting started with configuring Threat Defense for AD......................................................................................... 10 Where to get more information.................................................................................................................................... 11 About the Symantec Endpoint Threat Defense for Active Directory console............................. 13 About launching the Threat Defense for AD console................................................................................................13 Viewing your environment in the Threat Defense for AD console........................................................................... 14 Adding user accounts and roles..................................................................................................................................15 About the Core server health analytics..................................................................................................................... 16 About the Threat Defense for AD settings..................................................................................................................18 Configuring the notifications from the Notifications tab..........................................................................................19 Configuring additional settings from the Features tab.............................................................................................22 Configuring the system AI through the AI tab..........................................................................................................23 Updating Threat Defense for AD through the System Update tab......................................................................... 25 About the SEPM tab................................................................................................................................................26 Configuring Symantec Endpoint Threat Defense for Active Directory........................................ 28 About Domains..............................................................................................................................................................28 Configuring AD sites..................................................................................................................................................... 28 Configuring a deception policy.................................................................................................................................... 29 Defining features in a deception policy.....................................................................................................................30 Adding deceptive accounts to a deception policy.................................................................................................... 30 Defining the exception list in a deception policy...................................................................................................... 31 Configuring a Deployment Manager............................................................................................................................ 32 Editing a Deployment Manager................................................................................................................................ 33 Changing the log method of a Deployment Manager.............................................................................................. 34 Configuring and deploying Threat Defense for AD with Symantec Endpoint Protection..................................... 36 Configuring SEPM to deploy Memory Manipulation and the deception policy to the SEP agent............................37 Viewing the Deploy tab...........................................................................................................................................40 Assigning the Threat Defense for AD policy to SEPM endpoints and groups........................................................ 42 Confirm the Memory Manipulation deployment.......................................................................................................45 Adding additional SEPM servers................................................................................................................................ 46 Adding instances to a Deployment Manager..............................................................................................................47 2 Adding an additional AD domain................................................................................................................................49 Configuring Alarms in Symantec Endpoint Threat Defense for Active Directory....................... 55 About Alarms.................................................................................................................................................................. 55 Responding to an alarm in Threat Defense for AD..................................................................................................56 Types of breach prevention alarms............................................................................................................................. 56 Viewing the details of an alarm....................................................................................................................................58 Generating a forensics report.......................................................................................................................................59 Components of a forensics report...............................................................................................................................61 Memory Analysis in a forensics report................................................................................................................... 63 Persistence & Autoruns in a forensics report........................................................................................................66 Current Status in a forensics report........................................................................................................................67 Mitigating attacks manually.......................................................................................................................................... 68 Dark Corner alarms in Symantec Endpoint Threat Defense for Active Directory....................... 70 Introducing dark corners of the Active Directory...................................................................................................... 70 About Active Directory assessment..........................................................................................................................70 Domain dark corners..................................................................................................................................................... 71 SYSVOL Attack......................................................................................................................................................... 71 Hidden Security Identifier (SID)................................................................................................................................ 72 Golden Ticket............................................................................................................................................................ 72 DCSync/DCShadow Backdoor Account................................................................................................................... 72 Unprivileged Admin Holder ACL...............................................................................................................................72 Power User Enumeration..........................................................................................................................................73 Anonymous LDAP Binding........................................................................................................................................73 AS-REP Roasting......................................................................................................................................................73 Cached Privileged Account in RODC.......................................................................................................................74 Trusted Domains....................................................................................................................................................... 74