The document describes six deception techniques used by Symantec deception tools: 1) Process termination deceptor disguises a security process to trigger when terminated, 2) Network discovery deceptor adds fake remote desktop connections to trigger on discovery, 3) DNS lookup deceptor inserts fake DNS entries to trigger on lookups, 4) File share deceptor creates apparent off-box file shares to trigger on access, 5) Credential theft deceptor launches a fake user to monitor for password dumping, and 6) File traversal deceptor delivers fake files to hidden directories to trigger on access. However, the deceptions may be easily detected by hackers and could negatively impact threat hunting and forensic analysis by generating noisy anomalous activity that obscures real threats.

1. Symantec Deception Brief

2. Six deception Brief
Usecases Description on Deception
Process Termination
Deceptor
Fake Process termination deceptor launches a process using Metasploit scripts and
MS wscript.exe that is disguised as a security application
commonly targeted for termination.
Use the command taskkill to terminate the process , the force switch (/F) is required to
to terminate not
to request a termination!, remember the Deceptor will only trigger if it’s a
termination.
Network Discovery
Deceptor
Network discovery deceptor adds an entry to the most recently used (MRU) list for
fake remote
desktop connections. By modifying registry values.
RDP ot ICMP trigger
DNS Lookup
Deceptor
Network lookup deceptor inserts a fake entry into the fake DNS cache through the
host file and registry changes - IPS triggers on the ICMP request ! The Lookup
process doesn’t trigger the Deceptor (example: nslookup fake.company.com) , you
need to have a connection opened with mapped IP addresses of the fake FQDN to
trigger. Its gerenate Encrypted Resgry entires
File Share Deceptor
Network traversal deceptor creates what appears to be an off-box file share to a
remote
server with fake files.
Credential theft deceptor
Credential theft deceptor launches a process as a fake user. It then monitors the
Windows.
Its create fake regsitry and run multiple startup script to dump passwords and user
names
File traversal
File traversal deceptor delivers fake files into a hidden directory. Fake files in user
machines and create encryted Registry values, host file edit and , fake folder creations
creations

3. Deception Coverage
Use cases
Workstations Servers
Windows Mac Windows RHEL File Server Decoy VM
Process Termination Deceptor Yes NA No NA
Not
required*
Yes
Network Discovery Deceptor Yes NA No NA
Not
required*
Yes
DNS Lookup Deceptor Yes NA No NA
Not
required*
Yes
File Share Deceptor Yes NA No NA
Not
required*
Yes
Credential theft deceptor
NA -
Symantec
Working
NA No NA
Not
required*
NA - Symantec
Working
File traversal
NA -
Symantec
Working
NA No NA
Not
required*
NA - Symantec
Working

4. Easy to detect by hacker ?
• Same fake details in all machines are created as Files and RDP connections
• Symatnec IPS and ADC logs are in SIEM already available
• Fake and encrypted Registry entries created
• Easley traceable by hacker as all registry values are in one Symantec path
• File share resolve to loopback ip address
• Each boot time and 1 hrs its validate those scripts and registry present in SEP clients

5. Impact on Threat Hunting Service
• Deceptions called many programs via scripts which is noisy and will make negative impact on EDR / Forensic analysis
• Fake and encrypted Registry entries created
• using net use commands in scripts and run many time
• Each boot time and 1 hrs its validate those scripts and registry present in SEP clients
Use cases
Workstations Servers Other Controls
Windows Mac
Windo
ws
RHE
L File Server Decoy VM Can CB / SIEM Cover ? Deceptor Hampering CB TH Activity
Process Termination
Deceptor
Yes NA No NA
Not
required* Yes
SIEM can cover through
Windows log
Yes, Deceptor's action is similar to
Malicious activity and it will be difficult to
identify malcious and deceptor activity
Network Discovery
Deceptor
Yes NA No NA
Not
required* Yes
SIEM | CB cannot detect
what does not exist but
Connections to such node
will be recorded n CB
Yes, difficult to distinguish activity
between deceptor and bad actor's
DNS Lookup
Deceptor
Yes NA No NA
Not
required* Yes
SIEM (DNS Log) | CB can
alert on successful
connections
Yes, Deceptor's action is similar to
Malicious activity and it will be difficult to
identify malcious and deceptor activity
File Share Deceptor
Yes NA No NA
Not
required* Yes
Need to Check| file
executions can be monitored
through names No
Credential theft deceptor NA - Symantec
Working NA No NA
Not
required*
NA - Symantec
Working SIEM| CB can cover partially
Yes, Deceptor's action is similar to
Malicious activity and it will be difficult to
identify malcious and deceptor activity
File traversal NA - Symantec
Working NA No NA
Not
required*
NA - Symantec
Working Need to Check
Yes, Deceptor's action is similar to
Malicious activity and it will be difficult to
identify malcious and deceptor activity

6. Possible Impact on End-users
• Fake remote desktop connections make at end-users
• Fake file shares will be created on network share files

8. Thanks & QA