Symantec's deception is a way to create bait on the endpoint and wait for the intruder to trip it and log the event.
Since this is an endpoint protection, it is assumed that the intruder has come past the perimeter level protection and is trying lateral movement using the endpoints, steal admin credentials etc. There are multiple deceptors available with Symantec and more on it in the below documents.
Below is a guide to test the Process termination deceptor.
The Process termination deceptor policy comes with the SEP 14 package, under the tools folder. Indise tools/deception folder the required HI & ADC policies are available along with a guide to implement the same.
Copy the policies to the SEPM server. Open SEPM > goto policies > Host Integrity > Import a Host Integrity policy > choose the "Deception Process Termination Deployment" HI policy.
Once the policy is imported, enable the checkbox that says Deliver the process termination deceptor. This is how the bait process is delivered on the endpoint.
Now import the Add the ADC policy "Deception ADC Monitoring - Process Termination" using the same steps and check the box "Monitor Process Termination Deceptor"
Add the HI & ADC policies to a test group.
Clients > <Deception Test group> Policies > Add a policy > Choose Host Integrity Policy. Click on Next
Choose "Use an Existing Policy"> Next
Choose the imported Process Termination Policy and click OK.
If a Host Integrity policy already exists, you can copy the HI requirements from the Imported policy and paste it in the existing HI policy.
Follow the same steps to import the given ADC policy. Now the Policies are applied to the test group where the test client is moved.
Once the policies are applied to the client based on its heartbeat interval, the deceptors will be deployed.
The process termination deceptor creates a fake process in the name of a AV product. An intruder trying to get rid of the AV on the endpoint to avoid detection is expected to kill this process.
Below are the list of AV processes that the HI policy would create.
avgserv.exe
Ad-Aware.exe
f-prot.exe
kavlite40eng.exe
mcshield.exe
ccapp.exe
ccevtmgr.exe
ccpxysvc.exe
nmain.exe
navw32.exe
The process deceptor can be identified by using a Process Explorer.
Here, kavlite40eng.exe is the bait process.
You can select the bait process and kill it.
This will trigger the monitoring ADC policy to send a log to SEPM. We can see the logs on SEPM once it is enabled.
Open SEPM installation directory > goto \tomcat\etc > open conf.properties using notepad.
Scroll all the way down and add the below line.
scm.deception.enabled=true
Save the notepad and exit.
Start > Run > Services.msc > choose the SEPM services and restart them.
Now that the logging is enabled, you should see the Deception logs on the SEPM.
Open SEPM > Monitors > Log Type: Deception > View Logs
Note that the column "Caller Process" gives information about how the bait process was terminated. Here it says procexp64.exe which is the process explorer application.
Various methods of killing the process were tried. Remote killing of the process was also logged. But killing it from the same machine did not log. Possibly a feature to avoid false positive.
The killed process will be replaced with a new bait process within few minutes. You can see the new bait process navw32.exe below
The deceptor can be removed by applying the HI policy
And the ADC policy should also be removed.
Hope it helps.
