Attivo Cloud®

User Guide
Revision A

46601 Fremont Boulevard, Fremont, CA 94538

htttps://www.attivonetworks.com
Contents

1 About Attivo Cloud 1

What are the applications available on Attivo Cloud? . . . . . . . . . . . . . . . . . . . . .... . . . .1
How does Attivo Cloud communicate with resources in your network? . . . . . . . . .... . . . .3
What are the supported operating systems and cloud platforms? . . . . . . . . . . . .... . . . .3
Where is Attivo Cloud hosted? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... . . . .3
How does Attivo Cloud secure your data in the cloud? . . . . . . . . . . . . . . . . . . . .... . . . .4
Availability of Attivo Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... . . . .4
What data from your network is sent to Attivo Cloud? . . . . . . . . . . . . . . . . . . . .... . . . .4
How to subscribe for Attivo Cloud? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... . . . .4

2 Getting started with Attivo Cloud 5

Logging on to Attivo Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... . . . . . . . . . . . .5
Grant Attivo Support access to your subscription . . . . . . . . . . . . . . .... . . . . . . . . . . . .6
Basic options in the Attivo Cloud console . . . . . . . . . . . . . . . . . . . . .... . . . . . . . . . . . .7
Manage your Attivo Cloud subscriptions . . . . . . . . . . . . . . . . . . .... . . . . . . . . . . . .8
Data purging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... . . . . . . . . . . . .9
Customer management in Attivo Cloud . . . . . . . . . . . . . . . . . . . . . .... . . . . . . . . . . . 10
Allowing parent account to manage the child account . . . . . . . . . .... . . . . . . . . . . . 10
Viewing child account details . . . . . . . . . . . . . . . . . . . . . . . . . . .... . . . . . . . . . . . 11
Switching to child account . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... . . . . . . . . . . . 11
Managing your Attivo Cloud users . . . . . . . . . . . . . . . . . . . . . . . . . .... . . . . . . . . . . . 12
Adding a new user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... . . . . . . . . . . . 12
Adding a new API user . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... . . . . . . . . . . . 12
Editing a user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... . . . . . . . . . . . 13
Deleting a user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... . . . . . . . . . . . 13
Locking a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... . . . . . . . . . . . 13
Unlocking a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... . . . . . . . . . . . 14
Authentication using SAML browser SSO . . . . . . . . . . . . . . . . . . . . .... . . . . . . . . . . . 14
Service Provider initiated SSO Login using the Attivo Cloud . . . . . .... . . . . . . . . . . . 14
Single Logout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... . . . . . . . . . . . 15
Configuring SSO through an IdP . . . . . . . . . . . . . . . . . . . . . . . .... . . . . . . . . . . . 16
Configuring SAML 2.0 in Attivo Cloud . . . . . . . . . . . . . . . . . . . . .... . . . . . . . . . . . 16
Configuring E-mail Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . .... . . . . . . . . . . . 18
Adding Emails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... . . . . . . . . . . . 18

3 Cloud accounts in Attivo Cloud 19

Configuring your AWS account in Attivo Cloud . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . 19
Downloading permissions in Attivo Cloud . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . 19
Creating policy in AWS . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . 19
Creating IAM role and assigning policy in AWS . . . . . . .. . . . . . . . . . . . . . . . . . . . . . 21
Configuring AWS account in Attivo Cloud . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . 22
Configuring Decoy Logging . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . 23
Viewing and configuring AWS decoys . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . 23
Reviewing and deploying AWS cloud decoys . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . 24
Configuring your Microsoft Azure account in Attivo Cloud . .. . . . . . . . . . . . . . . . . . . . . . 26
Configuring your Azure account in Attivo Cloud . . . . . .. . . . . . . . . . . . . . . . . . . . . . 28
Viewing and configuring Azure cloud decoys . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . 29
Reviewing and deploying Azure cloud decoys . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . 30

Attivo Cloud User Guide 1

Contents

4 ADAssessor 33
Summary of how ADAssessor works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... . . . 33
Exposure Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... . . . 34
Threat Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... . . . 35
Purpose and benefits of ADAssessor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... . . . 37
Requirements and considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... . . . 37
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... . . . 37
WinRM pre-requisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... . . . 38
Additional requirements and considerations for Threat Detection . . . . . . . .... . . . 40
Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... . . . 42
Configuring ADAssessor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... . . . 42
Deploy Attivo CloudLink . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... . . . 43
Configure Active Directory server details . . . . . . . . . . . . . . . . . . . . . . . . . . .... . . . 44
Configuring on-premise Active Directory . . . . . . . . . . . . . . . . . . . . . . . . .... . . . 44
Configuring Azure Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... . . . 48
Registering the app in Azure AD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Configuring Azure Active Directory details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Understanding the ADAssessor Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Understanding the Dashboard tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Improve protection for Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Improve protection through ADSecure-EP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Understanding the AD Exposures tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
ADAssessor reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
How to generate a list of all the current exposures assessed by ADAssessor? . . . . . . . . . . 62
Understanding the Azure Exposures tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
List of exposures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Exclusions for ADAssessor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Create an exclusion record for ADAssessor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Skipped exposures-reasons and troubleshooting steps . . . . . . . . . . . . . . . . . . . . . . . . . 68

5 ADSecure-DC 71
How does ADSecure-DC work? . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . 71
What are the types of attacks ADSecure-DC can detect? . . . . . . . .. . . . . . . . . . . . . . 72
Advantages of ADSecure-DC . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . 74
ADSecure-DC and other AD-related features - a comparison . . . . . . .. . . . . . . . . . . . . . 74
Can ADSecure-DC be deployed along with EDN features? . . . . . . . . .. . . . . . . . . . . . . . 75
Deploying ADSecure-DC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . 76
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . 76
Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . 77
High-level steps to configure ADSecure-DC . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . 77
Configure ADSecure-DC . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . 79

6 Configuring cloud decoys 81

Configuring AWS cloud decoys . . . . . . . . . . . . . . . . . . . .... .. . . . . . . . . . . . . . . . . . 81
Creating deceptive Access Keys . . . . . . . . . . . . . . . . .... .. . . . . . . . . . . . . . . . . . 81
Create deceptive S3 buckets . . . . . . . . . . . . . . . . . . .... .. . . . . . . . . . . . . . . . . . 82
Create deceptive Serverless - Lambda Web Application .... .. . . . . . . . . . . . . . . . . . 82
Create deceptive DynamoDB . . . . . . . . . . . . . . . . . . .... .. . . . . . . . . . . . . . . . . . 83
Create deceptive Lambda Function . . . . . . . . . . . . . . .... .. . . . . . . . . . . . . . . . . . 83
Configuring Azure cloud decoys . . . . . . . . . . . . . . . . . . .... .. . . . . . . . . . . . . . . . . . 83
Creating deceptive Blob Storage . . . . . . . . . . . . . . . .... .. . . . . . . . . . . . . . . . . . 84
Creating deceptive File Storage . . . . . . . . . . . . . . . . .... .. . . . . . . . . . . . . . . . . . 84
Creating deceptive Cosmos DB . . . . . . . . . . . . . . . . .... .. . . . . . . . . . . . . . . . . . 85
Creating deceptive Azure Function App . . . . . . . . . . . .... .. . . . . . . . . . . . . . . . . . 85
Creating deceptive Web App . . . . . . . . . . . . . . . . . . .... .. . . . . . . . . . . . . . . . . . 86

7 Managing endpoint policies 87

Configuring scanner policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Creating scanner policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Manually create scanner policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Importing a .csv file to create scanner policies . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Exporting the empty .csv file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Defining the values in .csv file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

2 Attivo Cloud User Guide

 Contents

Importing the .csv file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Editing/deleting a scanner policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Exporting scanner policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Managing DNS policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Specify the decoy IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Managing Exception policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Exceptions - an overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Purpose of exception rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Is it mandatory to create exception policies? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
How do exceptions work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Configurations that impact exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Features relevant to exceptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Understanding the allow policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Configuring exception policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . 95
Configure an allow policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . 96
Configure an intercept policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 100
Managing protection policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 101
Access Protection for Attivo Endpoint Application . . . . . . . . . . . . . . . . . . . . . . . . .. 101
Create or edit a protection policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 103
Interdependency between Endpoint Reporting and Console Apps settings . . . . . .. 107
Generate Attivo Endpoint Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 109

8 ADSecure-EP 111
How ADSecure-EP protects your Active Directory? ................. .... . . . . . . 111
Requirements and considerations . . . . . . . . . . . . ................. .... . . . . . . 112
Requirements . . . . . . . . . . . . . . . . . . . . . . . ................. .... . . . . . . 112
Considerations . . . . . . . . . . . . . . . . . . . . . . . ................. .... . . . . . . 112
FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . ................. .... . . . . . . 114
Deploying ADSecure-EP . . . . . . . . . . . . . . . . . . . ................. .... . . . . . . 115
Prerequisite tasks for ADSecure-EP . . . . . . . . ................. .... . . . . . . 115
Specify the DNS names and decoy IP addresses ................ .... . . . . . . 115
Configure Active Directory server details . . . . . ................. .... . . . . . . 117
Create a protection policy . . . . . . . . . . . . . . . ................. .... . . . . . . 119
View ADSecure-EP configuration data . . . . . . . ................. .... . . . . . . 122
Viewing the ADSecure-EP related events . . . . . . . ................. .... . . . . . . 123

9 Configuring Anti-Ransomware 125

High-level steps to configure Anti-Ransomware . . . . . . . . . . . . . . . .... . . . . . . . . . . 126
DataCloak . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... . . . . . . . . . . 127
Hiding files, folders, and mapped network drives . . . . . . . . . . . . .... . . . . . . . . . . 127
Requirements and considerations . . . . . . . . . . . . . . . . . . . . . .... . . . . . . . . . . 128
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Configuring DataCloak . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Behavior Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
How does Attivo Cloud identify ransomware? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Configuring Behavior Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
File Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Configuring File Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
View DataCloak Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

10 Deploying ThreatStrike 141

How to lure the attackers? . . . . . . . . . . . . . . . . . . . . . . .... .. . . . . . . . . . . . . . . . . 141
Creating deception objects for Lures . . . . . . . . . . . . . . . .... .. . . . . . . . . . . . . . . . . 142
Creating deception objects in bulk . . . . . . . . . . . . . . .... .. . . . . . . . . . . . . . . . . 146
Upload deception objects through CSV file . . . . . . .... .. . . . . . . . . . . . . . . . . 146
Creating deception objects using format specifiers . . . .... .. . . . . . . . . . . . . . . . . 149
Create a decoy server deception object . . . . . . . . . . . .... .. . . . . . . . . . . . . . . . . 149
Create a credential deception object . . . . . . . . . . . . . .... .. . . . . . . . . . . . . . . . . 150
Create a domain deception object . . . . . . . . . . . . . . .... .. . . . . . . . . . . . . . . . . 152
Create a browser URL deception object . . . . . . . . . . . .... .. . . . . . . . . . . . . . . . . 153
Create an email deception object . . . . . . . . . . . . . . . .... .. . . . . . . . . . . . . . . . . 154
Create a Web FTP profile deception object . . . . . . . . . .... .. . . . . . . . . . . . . . . . . 155

Attivo Cloud User Guide 3

Contents

Create a browser cookie deception object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Create VPN connection name deception object . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Scripts & Files deception object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Create a Scripts and Files deception object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Deploying decoy documents on production endpoints/servers . . . . . . . . . . . . . . . . . . . . 160
Manage Scripts & Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Header parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Create an Oracle Database deception object . . . . . . . .... . . . . . . . . . . . . . . . . . . 162
Managing deception objects . . . . . . . . . . . . . . . . . . . . . .... . . . . . . . . . . . . . . . . . . 163
Edit a deception object . . . . . . . . . . . . . . . . . . . . . . .... . . . . . . . . . . . . . . . . . . 163
Clone a deception object . . . . . . . . . . . . . . . . . . . . . .... . . . . . . . . . . . . . . . . . . 164
Delete a deception object . . . . . . . . . . . . . . . . . . . . .... . . . . . . . . . . . . . . . . . . 164
Configure lures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... . . . . . . . . . . . . . . . . . . 164
Create a protection policy . . . . . . . . . . . . . . . . . . . . .... . . . . . . . . . . . . . . . . . . 164
View Lures Report . . . . . . . . . . . . . . . . . . . . . . . . . .... . . . . . . . . . . . . . . . . . . 170
Configuring credential protection in ThreatStrike . . . . . . .... . . . . . . . . . . . . . . . . . . 170
How to protect the production credentials? . . . . . . . . .... . . . . . . . . . . . . . . . . . . 173

11 Deploying Deflect 177

How does Deflect work on an endpoint? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Configure Deflect on an endpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Deflecting inbound failed connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Deflecting outbound failed connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Deploying Deflect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Create a protection policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Deflect events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

12 ThreatPath 183
Summary of how ThreatPath works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
How can ThreatPath help to protect your network? . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
How to deploy ThreatPath? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Configure Active Directory server details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Define the ignore and remediation rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Paths to be ignored . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Remediation rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Steps to define ThreatPath rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Customizing path vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Customize path definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Configure the ThreatPath advanced features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
How is information structured in ThreatPath? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Understanding the Summary tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Impacted endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Critical AD accounts queried from the AD servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Stale Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
No password expiry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Endpoint Exposures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
SMB shared folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
SMB mounted shares/drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Local admin accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Local service accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Same Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Lateral movement paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Privilege Account Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
AWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
SMB exposed credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
SMB critical paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
RDP saved credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
RDP memory credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

4 Attivo Cloud User Guide

 Contents

Web. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Top 5 credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Paths Discovered vs Remediation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Credentials per endpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Understanding the Paths tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Viewing paths in the card visualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Viewing the details of an exposure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Viewing the Credentials Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Remediation through ThreatPath . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
How does ThreatPath remediation work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Remediation of specific attack paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

13 Deploying Attivo Endpoint Application 215

Install Attivo Endpoint Application on endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 215
EDN features support matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 215
Common Attivo Endpoint Application parameters . . . . . . . . . . . . . . . . . . . . . . . . .. 216
Parameters specific to ThreatStrike and ThreatPath . . . . . . . . . . . . . . . . . . . . . . .. 219
Signing of Attivo Endpoint Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 219
Manually install Attivo Endpoint Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 220
Installation on a Windows endpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 220
Installation on Linux endpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 222
Installation on Mac endpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 224
Monitoring the status of Attivo Endpoint Application installation . . . . . . . . . . . . . . . . .. 225
Summary of Attivo Endpoint Application installation status . . . . . . . . . . . . . . . . . .. 225
Managed Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 226
Sign the Attivo Endpoint Application binary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 228
Method 1: Using your private key file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 228
Method 2: Using a private key from cert store . . . . . . . . . . . . . . . . . . . . . . . . .. 229
Method 3: Using a batch script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 229
Error codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 229

14 Endpoints Activity 231

Accessing the Endpoints Activity page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Understanding the Endpoints Activity page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Summary tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Details tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

15 Monitor your assets 241

Attivo Cloud Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Counters on the Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Events classified according to MITRE ATT&CK . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Time-based Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Suspicious Endpoints by Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Suspicious Endpoints by Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Events Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Top 5 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Top 5 Suspicious Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Endpoint Detection Net (EDN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Recent Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Monitoring through the Events tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Details view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Forwarding event and fault messages from EDN to syslog via CloudLink . . . . . . . . . . . . 249
Creating a syslog profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Configuring syslog server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Syslog messages formats (CIM, CEF, LEEF) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Understanding the Endpoint report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Sections in the report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

16 Configuring reports 259

Report types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Creating / adding a report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Generating a report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260

Attivo Cloud User Guide 5

Contents

Downloading reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Editing a report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Deleting a report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

17 Attivo Cloud maintenance activities 263

Viewing system faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Opening the faults in System faults page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Audit logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Viewing audit logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

6 Attivo Cloud User Guide

1 About Attivo Cloud

Attivo Cloud is a software as a service (SaaS) offering from Attivo Networks. Attivo Cloud functions as a
platform that hosts multiple Attivo application, catering to various cloud infrastructures. Given Attivo
Cloud is a SaaS platform, your organization can subscribe to the required Attivo applications.
Advantages:
• Using Attivo Cloud, you can secure your on-prem as well as cloud resources.

• Attivo Cloud provides insights and metrics that are usually not available to the information security
team. For example, Attivo Cloud provides real-time information of the AD infrastructure like the
domains, trusts, details of domain controllers, list of privileged users, and so on that may not be
available.

• Because Attivo Cloud is delivered through the Internet, you can configure and deploy the required
applications across your organization from a central location. For example, you can deploy the EDN
features in all your branch offices without worrying about any network connectivity issues.

• Except for installing some lightweight applications on the endpoints you want to protect, no
installations or changes in your datacenter or network are required. This also means there are no
maintenance overheads.

What are the applications available on Attivo Cloud?

This section provides an overview of the Attivo applications currently available on Attivo Cloud. Over
time, more applications may be available through Attivo Cloud.
Attivo Cloud hosts the following applications:
ADAssessor
This application learns your Windows AD infrastructure, continuously assesses it for Indicators of
Exposure (IOE), and provides the required insights to mitigate and remediate the risks.
ADAssessor answers questions such as: what are the domains and subdomains in the forest, what are
the trusted domains, and what are the users and computers in each domain. This gives an insight into
the AD resources you want to protect.
ADAssessor also continuously assesses the configured domains and subdomains for vulnerabilities,
misconfigurations, and weaknesses. With this information, you can design your mitigation and
remediation plans accordingly.
Attivo Cloud queries the configured AD to learn the AD infrastructure and to assess for IOE. To
communicate with your AD, Attivo Cloud uses the services of Attivo CloudLink. It is a lightweight
application, which you must install on any one domain-joined Windows endpoint. Attivo CloudLink
establishes a persistent and encrypted 2-way communication with Attivo Cloud. Attivo CloudLink acts
as the gateway for Attivo Cloud to communicate with AD and other resources like SIEM and syslog
servers in your network.
For detailed information on ADAssessor, see Summary of how ADAssessor works
EDN (Endpoint Detection Net)

Attivo Cloud User Guide 1

1 About Attivo Cloud
What are the applications available on Attivo Cloud?

Endpoint Detection Net (EDN) is a suite of features, each designed to expose adversaries right at an
endpoint, as they perform malicious activities. For this, you must install a lightweight application
referred to as the Attivo Endpoint Application on all the endpoints you want to protect. The Attivo
Endpoint Application instances on the endpoints implement the EDN features as per your configuration.
Similar to Attivo CloudLink, the Attivo Endpoint Application establishes a persistent and encrypted 2-
way communication with Attivo Cloud. Attivo Cloud uses this communication channel to update
configuration changes to Attivo Endpoint Application. The EDN features configured on each endpoint,
use this channel to send the details of the detected malicious activities to Attivo Cloud.
EDN comprises of the following endpoint features:
ADSecure-EP: When adversaries query Windows AD, ADSecure-EP hides the configured critical AD
assets and inserts decoys in the AD response. For example, if an adversary queries for the domain
admins, then the ADSecure-EP module in Attivo Endpoint Application replaces the real domain admins
in the AD response with fake ones.
DataCloak: Protects your Windows endpoints from ransomware. Before ransomware can encrypt data
on a compromised endpoint, they typically need to enumerate files, folders, and network drives on that
endpoint. When an untrusted user or process enumerates the files, folders, or network drives you
specify, the DataCloak module hides these objects in the response. Thus, DataCloak can not only detect
ransomware activity but also keep the files and folders safe from ransomware.
Lures: Enables you to detect lateral movement and credential exfiltration in your network. Using Lures,
you can create decoy tokens for various applications Windows, Linux, and Mac endpoints. Then, Attivo
Endpoint Application inserts these tokens in the corresponding applications on the endpoints. For
example, you can create and install decoy tokens in Google Chrome.
These decoy tokens are identical to real ones but they point to non-existing servers. Therefore, when
an adversary attempts to move to a high-value target and uses a decoy token, Attivo Endpoint
Application on that endpoint detects it. Then Attivo Endpoint Application forwards the details to Attivo
Cloud, where you can view the event.
Deflect: Raises events when untrusted endpoints access forbidden network assets or perform
reconnaissance scans over the network. Attivo Endpoint Application monitors the inbound and
outbound connections. If it detects traffic matching a rule you defined, then it sends the details to
Attivo Cloud.
ThreatPath: Displays the potential lateral-movement paths and misconfigurations present on
endpoints. You can view the exposures present in your network. You can also configure ThreatPath to
remediate the feasible exposures and reduce the attack surface. Attivo Endpoint Application collects the
required data and sends it to Attivo Cloud, where the data is analyzed and exposures are identified and
displayed.
Cloud Decoys
This module enables you to create decoys in your cloud services. To create decoy cloud resources in
your cloud platform, Attivo Cloud provides just a tool - a template in case of AWS and a shell script in
case of Azure. You must log on to your cloud platform and use this tool to create the decoy resources.
Attivo Cloud continuously monitors these decoy cloud resources for any access attempts and reports
the details. Thus, you can detect adversaries in your network, who intend to meddle with your cloud
resources. You can also use the Lures feature to create tokens pointing to these decoy resources and
also insert them in the endpoints. Therefore, you can detect credential theft in your network.

Note: The products on Attivo Cloud function independently. However, when configured in tandem, these
features can complement each other. For example, ADAsessor and ADSecure-EP function independent of
each other. ADAssessor provides the necessary insights into your AD landscape for you to create a precise
protection campaign using ADSecure-EP.

2 Attivo Cloud User Guide

 About Attivo Cloud
How does Attivo Cloud communicate with resources in your network? 1

How does Attivo Cloud communicate with resources in your

network?
As discussed in the previous sections, Attivo Cloud can reach the resources inside your network. The
converse is also true.

Note: The URL that you use to access Attivo Cloud (GUI) and the URL that your endpoints use are different.

• To query Windows AD and to integrate with your SIEM and syslog servers, Attivo Cloud uses Attivo
CloudLink. Attivo Cloudlink establishes a persistent and encrypted 2-way communication channel over
port 443. This channel uses TLS version 1.2 for encryption. The cypher suite used is AES 256.

At any point in time, only one Attivo CloudLink is required for your entire organization.

• Each Attivo Endpoint Application installed on endpoints receive configuration changes related to EDN
features from Attivo Cloud and also send event details to Attivo Cloud. For this, the communication
channel between Attivo Endpoint Application instances and Attivo Cloud is similar to the one between
Attivo Cloud and Attivo CloudLink.
If you install Attivo CloudLink and Attivo Endpoint Application on the same endpoint, then there
are 2 similar but separate connections to Attivo Cloud from that endpoint.

• For Cloud Decoys, Attivo Cloud requires certain read-only privileges in your cloud platform. With
this, Attivo Cloud queries the cloud's APIs to gather data for Cloud Decoys.

What are the supported operating systems and cloud platforms?

Table 1-1 Application-platform support matrix

Application Supported platforms
ADAssessor • You can use only a Windows endpoint for Attivo CloudLink.
• Only Windows Active Directory installed on Windows 2008 R2 and later are supported
for ADAssessor and ADSecure-EP.
EDN • ADSecure-EP and DataCloak are supported only on Windows endpoints.
• Lures and ThreatPath are supported on Windows, Linux, and Mac endpoints.
• Deflect is supported on Windows and Mac endpoints.
• For the exact versions and flavors of the supported operating systems, see EDN
features support matrix.
Cloud Decoys The currently supported cloud platforms for AWS and Azure. That is, you can create decoy
resources in AWS and Azure.

Where is Attivo Cloud hosted?

The UI, backend server, and the database of Attivo Cloud are hosted in AWS using accounts belonging
to Attivo Networks. The data is currently stored in the US East region. Each subscriber’s data is safely
stored and segregated properly. For a detailed discussion, refer to Attivo’s Cloud Security, Data, and
Availability Considerations.

Attivo Cloud User Guide 3

1 About Attivo Cloud
How does Attivo Cloud secure your data in the cloud?

How does Attivo Cloud secure your data in the cloud?

As mentioned in the earlier section, data transfer between your network and Attivo Cloud is through a
securely encrypted channel. The data is stored in AWS, which cannot be accessed without proper
authentication.
Each customer (organization) in Attivo Cloud is a subscriber. Data of a subscriber is tagged with a
unique subscriber ID. This subscriber ID is used to identify and isolate data of each subscriber. One
subscriber can never access the data of another.
Attivo Cloud uses a unique secret key to authenticate and identify each Attivo Endpoint Application
instance. Along with subscriber ID, this secret key is used to keep the configuration isolated for each
subscriber.
For a detailed discussion, refer to Attivo’s Cloud Security, Data, and Availability Considerations.

Availability of Attivo Cloud

Refer to Provision of Purchased Services in Attivo’s Cloud Security, Data, and Availability
Considerations.

What data from your network is sent to Attivo Cloud?

Refer to Attivo’s Cloud Security, Data, and Availability Considerations.

How to subscribe for Attivo Cloud?

The high-level steps leading to your subscription of Attivo Cloud are listed below:
1 You contact Attivo Sales and opt for a 30-day trial or the paid version of the required application. The
features and functionality of the trial and paid version are the same.

2 When your subscription is approved, a customer account is created for your organization in Attivo
Cloud and you will receive a welcome email from Attivo Networks.

3 This email contains the URL to access Attivo Cloud. You must set up 2-factor authentication to access
Attivo Cloud.

4 You can create additional users if needed and then begin to configure the required products using the
Startup Wizard.

4 Attivo Cloud User Guide

2 Getting started with Attivo Cloud

This section contains generic information required to get started with Attivo Cloud.

Logging on to Attivo Cloud

The latest versions of the following browsers are supported to access Attivo Cloud:
• Chromium-based Microsoft Edge

• Chrome

• Safari

Notes:
• To get a good view across all the pages in Attivo Cloud user interface, below mentioned display
settings is recommended in the system and the browser.

• System Display Settings (Start | Settings | Display): Under Scale and layout | the size of
text, apps, and other items drop-down, the value should be set as 100%.

• Display resolution should be set as 1366 x 768 or higher.

• Browser: zoom should be set as 100%.

Before you begin:
You have received an email invitation to Attivo Cloud, and you have set up your user account with 2-
factor authentication in Attivo Cloud.
Steps:
1 Launch a supported web browser and enter https://cloud.attivonetworks.com as the URL.

2 Enter your email address and password and click Login.

3 Enter the passcode from the configured authenticator like Google Authenticator and click Login.

The Attivo Cloud Dashboard is displayed.

4 If this is the first time you have logged on to Attivo Cloud, then read through the End User License
Agreement (EULA) completely. You can click the EULA link present in the Subscription (Settings
icon | Subscription option) page and read the license agreement.

• After completely reading the license agreement, you can navigate to the required page directly and
use the features in Attivo Cloud.

Attivo Cloud User Guide 5

2 Getting started with Attivo Cloud
Grant Attivo Support access to your subscription

5 You can choose to visualize the user interface of Attivo Cloud in light and dark themes. After logging
in to Attivo Cloud, you can use the below toggle icon present on the top-right corner of the page to
switch between light and dark themes.

Grant Attivo Support access to your subscription

Attivo Support never asks for your password, but to assist you with your query or to troubleshoot an
issue, Attivo Support may ask you to grant access to your subscription.

Note: Without your explicit permission, Attivo Support can never login into your subscription.

How to grant login access?

Attivo Support may invoke the request to grant access. You can also directly grant access without
Attivo Support having to invoke the request.
• When the access is requested by Attivo Support, you will be prompted with the below dialog as soon
as you login into Attivo Cloud.

Note: The above prompt is displayed only for the default user (master user) of the subscription.

• You need to select Approve and Allow Access option and click Save to grant the access.

Note: Once your issue / query has been resolved, you are encouraged to go back and revoke the login
access. See Revoke access

To grant access directly:

Steps:
1 In Attivo Cloud, navigate to Subscriptions page (Settings icon | Subscriptions).

2 Click Login Access as shown below.

6 Attivo Cloud User Guide

 Getting started with Attivo Cloud
Basic options in the Attivo Cloud console 2

Login Access dialog is prompted.

3 Click Approve and Allow Access option and then click Save.

Note: Once you allow the access, full permissions will be granted and the Attivo Support team member will
be given the ability to view and edit everything in the subscription.

Revoke access
Any time, you can revoke the login access to Attivo Support.
Steps:
1 In Attivo Cloud, navigate to Subscriptions page (Settings icon | Subscriptions).

2 Click Login Access.

Login Access dialog is prompted.

3 Click Deny option and then click Save.

Basic options in the Attivo Cloud console

The following table provides the basic options in the Attivo Cloud console.

Attivo Cloud User Guide 7

2 Getting started with Attivo Cloud
Basic options in the Attivo Cloud console

Item Description
1 By default, the Attivo Cloud console opens in dark mode. Click this icon to toggle between
light and dark mode.
2 Indicates the system faults in different colors.
• Green indicates Attivo Cloud is functioning as configured.
• Yellow indicates a warning.
• Red indicates a critical fault.
Click the icon to open the Fault Logs page.
3 Click to display the relevant section from Help in a new tab.
4 Using the Subscription module, you can try an application that you have not subscribed for.
To add more users to your organization’s account in Attivo Cloud, see Managing your
Attivo Cloud users.
5 You can change your password as part of security best practices. You need the current
password and the passcode from the multi-factor authenticator to set the new password.
The password criteria is displayed in the UI.
You can gracefully logout of Attivo Cloud.

Manage your Attivo Cloud subscriptions

You can manage your Attivo Cloud product subscriptions in the Subscriptions page (Settings icon |
Subscription).
Under Product Subscriptions, you can manage the subscriptions for each of the product (ADAssessor,
Cloud Decoys , EDN) as mentioned below:
• You can use the Try Now button and test the trial version of the required product.

• You can click Buy more licenses to buy more licenses for the required products.

• Once you click Buy more licenses, you will be prompted with Request More Licenses window.
You can select the required products for which you want to buy more licenses and click Submit
button. A request will be sent to Attivo Sales. Attivo Sales will contact you to assist you in
increasing the number of licenses for the required product.

• To troubleshoot an issue or to assist you with a query, Attivo Support may ask you to grant your login
access, so that Attivo Support can login into the application using your login and fix the issue. See
Grant Attivo Support access to your subscription

8 Attivo Cloud User Guide

 Getting started with Attivo Cloud
Basic options in the Attivo Cloud console 2

Data purging
Data purging is a process of freeing up space by deleting the inactive or obsolete data which is no more
required.
You can use Purge Data feature in Attivo Cloud to permanently delete the inactive or obsolete records
present under your user name.
Data purging in Attivo Cloud is useful in the following example scenarios; there could be considerable
amount of data (achieved by EDN features or the data generated due to endpoint activities, etc.,) which
you do not require for any purpose or you want to test a latest feature and want to start newly.
When you trigger data purging in Attivo Cloud, all the data related to the following are permanently
deleted:
• Dashboard data.

• Automatically generated or manually generated events.

• Endpoints activity report.

• Protection policies records.

• DNS policies records.

• Exception policies records.

• Scanner policies records.

• Configured Active Directory.

• Syslog profiles.

• Fault and Audit logs.

• Configured AWS or Azure Cloud accounts.

• Reports.
Steps:
1 Click Settings icon present in top-right corner of the Attivo Cloud console and then select
Subscription option.

Subscription page is displayed.

2 Click Purge Data button.

A warning stating “This action is irreversible. Do you want to continue?” is displayed.

3 Click Ok button.

Notes
• On purging the data,

• only the data which is present for the currently logged on user will be permanently deleted.

• default protection policy will not be deleted.

• the default protection policy enables the features based on the license you have been assigned
with.

• users under User Management will not be deleted.

Attivo Cloud User Guide 9

2 Getting started with Attivo Cloud
Customer management in Attivo Cloud

• Data purging does not cause any impact on the number of subscriptions or number of licenses for the
EDN features.

Customer management in Attivo Cloud

Customer Management module in Attivo Cloud allows parent accounts to manage the child accounts. A
parent account is provided to an MSSP to manage their customer accounts or to an individual
organization or to a parent organization having various sub-entities.
A parent account can manage the child accounts only if the child accounts provide approval to manage
their accounts.

Allowing parent account to manage the child account

During sign-up, the child account user will be prompted to confirm whether to approve the parent
account (MSSP or parent organization) to manage their account or not.
If a child account has already denied the access to the parent account then the child account can
provide the approval by following the below procedure.
Steps:
1 Login into Attivo Cloud using the child account.

2 Click the Settings icon and select Subscription option.

3 Click Login Access.

The Login Access window is displayed.

4 Select Approve and Allow Management option to approve.

10 Attivo Cloud User Guide

 Getting started with Attivo Cloud
Customer management in Attivo Cloud 2

Viewing child account details

If you have logged into Attivo Cloud using your parent account, you can view the list of child accounts
managed by you in the Customer Management page. You can click the Account Details button
present for the required account to view the corresponding account details.

Steps:
1 Click Settings icon and select Customer Management.

Customer Management page having the list of child accounts managed by you is displayed.

Note: If the child accounts have provided their approval to parent accounts to manage their accounts,
then the status for Management Access will be displayed as Approved.

2 Click Account Details link present for the required child account.

Account Details window is displayed.

• In Account Details window, the details such as account id, host id, list of purchased products, and,
approval/disapproval status for Management access are displayed.

Switching to child account

After logging into Attivo Cloud using your parent account, you can switch to the required child account
to view and manage it.
You can switch to the required child account by clicking inside the drop-down box present beside
themes icon and by selecting the required child account.

Attivo Cloud User Guide 11

2 Getting started with Attivo Cloud
Managing your Attivo Cloud users

• Once switched, the Dashboard of the child account is displayed.

You can navigate through various menu options and view the data present for the child account.

Managing your Attivo Cloud users

Attivo Networks creates a default user for every subscriber (organization) in Attivo Cloud. This default
user is the master user for that subscriber. This master user can create additional users for that
subscriber. The master user can invite (add), modify, delete, and lock (suspend) other users.

Adding a new user

Steps:
1 Click Invite User button in User Management page.

Invite User dialog is displayed.

Enter the details in the corresponding fields:

Field Description
Email Address Enter the email address of the user.

Note: The email address must be unique across Attivo Cloud.

Password Enter the password for the user. Refer the password criteria.
Phone Number Enter the phone number of the user.
Though not recommended, you can use the same phone number for multiple users.

2 After adding the details, click Invite User button.

Note: To clear the entered details, click Clear button.

The user record is created in the User Management page.

Attivo Cloud sends an email invitation to the corresponding user on your behalf with a temporary
password. This invitation is valid for the next 48 hours.

The user must follow the instructions in the email and configure his account with a new password
and a 2-factor authentication. The user can use any time-based multifactor authentication app like
Google Authenticator for this purpose.

Note: A master (subscriber) user can create up to a maximum of 50 users.

Adding a new API user

Steps:
1 Click Settings and navigate to User Management page.

2 Navigate to Invite User and click New API User to add a new API User.

12 Attivo Cloud User Guide

 Getting started with Attivo Cloud
Managing your Attivo Cloud users 2

3 On the New API User screen, enter the details in the Identifier/Name and Email Address fields.

4 Click Add User.

Note: To create a New API User, you must provide an alternate/alias Email Address.

5 The new API user is created.

Editing a user
Steps:
1 Select the user for which you want to edit the details.

Edit User dialog is displayed.

2 Edit the details as required and click Edit User button.

Note: To clear the existing details, click Clear button.

Deleting a user
Steps:
1 Select the user which you want to delete and click Delete button.

2 Edit the details as required and click Edit User button.

Note: To clear the existing details, click Clear button.

Locking a User
Steps:

Attivo Cloud User Guide 13

2 Getting started with Attivo Cloud
Authentication using SAML browser SSO

1 Select the user which you want to lock and click Lock button.

2 The selected user will be locked and the Lock Status will be displayed as Locked.

Note: You cannot lock the Master User from the list.

Unlocking a User
Steps:
1 Select the locked user which you want to unlock and click Unlock button.

2 The selected user will be unlocked and the Lock Status will be displayed as Unlocked.

Authentication using SAML browser SSO

Whenever users access Attivo Cloud, they must authenticate using valid credentials, and then they are
provided the corresponding privilege. If you require your users to be authenticated by a federated
single sign on (SSO), you can integrate Attivo Cloud with identity providers that support SAML 2.0.
Some examples are Okta and PingFederate.
Following are some of the basic terms related to SAML:

SAML
Security Assertion Markup Language (SAML) is an OASIS open standard for applications to exchange
authentication, user identity, and user attributes.

Web browser SSO

Web browser SSO enables web applications to use the services of an identity provider (IdP) to
authenticate and authorize its users. Browser SSO relies on cookies to identify if a user is already
authenticated. If so, the user is granted access without requiring authentication separately for each
web application.
In addition to the generic advantages of Web browser SSO, the following are the advantages specific in
case of BOTsink:
• You can use an enterprise-class IdP for authentication.

• Regardless of the domain they belong to, authenticated users can access the Attivo Cloud.

SAML assertion
A SAML assertion is an encrypted token in XML format. To access a web application, the user
authenticates with the corresponding IdP. Then, the IdP sends a SAML assertion containing the user
name and attributes to the corresponding SP. Then, the SP sends the assertion token to Attivo Cloud.

Note: The master user must use a generic email id (example: attivo-admin@acme.com), a service account,
a distribution list. If a personal email address is used, that user’s authentication is directed to Attivo Cloud.

Service Provider initiated SSO Login using the Attivo Cloud

Attivo Cloud is designed to integrate with all the Identity Providers that support SAML 2.0. As of now,
Attivo Networks has verified the federated SSO systems such as PingOne, Okta, ADFS, One logon, on-
prem AD 2019, but all the Identity providers that support SAML 2.0 should be able to authenticate the
users accessing Attivo Cloud.
Here the Service Provider (SP) is Attivo Cloud and you are attempting to login using Attivo Cloud.
• The Attivo Cloud creates a SAML 2.0 request and encrypts it using a secret key.

14 Attivo Cloud User Guide

 Getting started with Attivo Cloud
Authentication using SAML browser SSO 2

• The Attivo Cloud sends this request to your browser.

• The browser redirects this request to the IdP, which handles the authentication.

• IdP decrypts the token using the secret key and determines your authentication (credentials) and
authorization (role).

• If your session is not valid then you must sign on to the IdP.

• IdP creates a SAML response and that contains your username and role information and encrypts this
token and sends it to the browser.

The browser forwards this information to Attivo Cloud and when Attivo Cloud receives the SAML
assertion from the IdP, you are granted access.

Note: The above illustration shows a SP-initiated SSO flow. An IdP-initiated SSO is also supported. In
an IdP initiated SSO, you are attempting to login to the Attivo Cloud using your IdP. For example, if you
use Okta as the IdP, you can log on to Okta and then click the Attivo Cloud chiclet to access the Attivo
Cloud without re-authentication.

Single Logout
If Single Logout is activated on your IdP, you will be signed out of any other services that you are
using, when you log out of Attivo Cloud.
• Attivo Cloud creates a SAML 2.0 request and sends it to the browser.

• The browser redirects this request to the IdP.

• IdP determines which other services you are logged on to, apart from Attivo Cloud.

• IdP logs you out from all your other services as well.

• IdP creates a SAML log out token and forwards this token to your browser.

• Browser redirects the log out token to Attivo Cloud.

• You are logged out of Attivo Cloud.

Attivo Cloud User Guide 15

2 Getting started with Attivo Cloud
Authentication using SAML browser SSO

Note: Single logout is not supported in Okta.

Configuring SSO through an IdP

Following are the high-level steps for configuring SSO through an Identity Provider:
Steps:
1 Create Attivo Cloud as a new application in the IdP.

2 Verify if the Attivo Cloud users are already defined in the IdP. If not, add them.

3 Assign the Attivo Cloud application you created to the users in the IdP.

Note: If you use Okta as the IdP, you can assign Attivo Cloud roles to the users for role-based access
control.

4 Configure the SAML 2.0 settings in Attivo Cloud.

Note: Procedure for configuring SSO through various IdPs differs, therefore you must contact Attivo Support
for the exclusive procedure document based on the IdP you use.

Configuring SAML 2.0 in Attivo Cloud

After you complete all the required configuration in IdP as explained in the earlier section, you
configure the SAML 2.0 details in Attivo Cloud.
Recall that there are two methods to configure SAML 2.0 details in Attivo Cloud:
• Import the metadata.xml file that you downloaded from IdP. This is the easier option.

• Manually enter the details. All the required details are in the metadata.xml file. The same details were
also listed as setup instructions in IdP when you created Attivo Cloud as an application in IdP.
Steps:
1 In Attivo Cloud, click Settings icon and select SAML 2.0.

2 Click the switch icon and enable the configuration.

3 To import the metadata file, select Upload XML file and import the metadata.xml file. Make sure the
file has the .xml extension.

16 Attivo Cloud User Guide

 Getting started with Attivo Cloud
Authentication using SAML browser SSO 2

4 To manually enter the details, select Manual.

a In the Entity ID field, enter the entity ID provided by the IdP. If you have the metadata.xml file,
it is the URL that is provided as the entity ID.

Note: The Entity ID will be used in the saml.config file by the SP.

b In the Login URL field, enter the URL to which the Attivo Cloud must send the SAML request. In
the metadata.xml file, this URL is the value given for Location. In the Setup Instructions, it is
provided as the value for Identity Provider Single Sign-On URL.

c Select Yes in the Enforce Logout field, if you want to configure Single Logout for Attivo Cloud.

d In the Logout URL field, enter the SLO URL of Attivo Cloud.

• SLO URL format: https://cloud.attivonetworks.com/saml2/logout/slo/

%7BregistrationId%7D

This is the SLO URL where the SAML logout request is sent.

e In the X.509 Certificate field, copy and paste the data provided within the <ds:X509Certificate>
tag in the metadata.xml file. Do not copy the open and end tags. This is the same data that is
provided between BEGIN CERTIFICATE and END CERTIFICATE in the Setup Instructions in the IdP.

5 In the ACS (Assertion Consumer Service) URL field, the login URL of Attivo Cloud is displayed by
default. You can enter the URL and this is the URL to which the Identity provider redirects the
authentication response.

• ACS URL format: https://cloud.attivonetworks.com/login/saml2/sso/Z21haWwuY29t

Attivo Cloud User Guide 17

2 Getting started with Attivo Cloud
Configuring E-mail Notifications

6 In the Domain field, the domain name to which the master user belongs to will be displayed by
default. For all the logged in non-master users, this domain name will be displayed by default.

The SAML configuration is created against this domain and all the users belonging to this domain
should be able to login as federated users.

Note: Attivo Networks uses the domain configured in the cloud. For additional domains or sub-domains,
please reach out to Attivo Support, and we will verify the ownership of the domain before adding it.

7 In the SP Entity Id field, the entity id of the Service Provider (SP) is displayed by default.

Configuring E-mail Notifications

The Attivo Cloud uses the details mentioned in the Email Notifications page to send the events through
mails. For this purpose, you must configure the email IDs in Attivo Cloud.

Adding Emails
You must add the valid email ids and select the severity based on which the qualifying events are sent
to the recipient emails.
Steps:
1 Click Configuration | System | Email Notifications.

Email Notifications page is displayed.

2 Click the enable/disable toggle icon and make it enabled. Attivo Cloud sends the events through mails
only if this option is set as enabled.

3 In To Email Address field, enter a valid email id and click + icon.

The newly entered email id gets added to the list. Repeat the above steps to add as many email ids
you want. To remove an email id, click Remove.

4 In Events Forwarding Severity field, select the required severity which the event should qualify to
send the event through mail.

Note: You can select the severity as either Medium or High.

5 Click Save.

18 Attivo Cloud User Guide

3 Cloud accounts in Attivo Cloud

When your enterprise’s data is in Cloud, the security of the data becomes imperative. Cloud user
accounts will have the authentication and authorization access to use the cloud resources. Attivo Cloud
uses the APIs of your cloud environment to track and monitor the cloud user accounts for any
suspicious activities.
To track and monitor the resources in your cloud infrastructure using Attivo Cloud, you must first
configure your cloud accounts in Attivo Cloud. When you configure your cloud account, the API
integration between your cloud infrastructure and Attivo Cloud is established. Then, you can configure
and deploy decoys in your cloud infrastructure. If any suspicious activity is encountered in your cloud
infrastructure, then Attivo Cloud reports the corresponding event.
This section details how to configure AWS and Microsoft Azure accounts in Attivo Cloud.

Configuring your AWS account in Attivo Cloud

The account which you are going to configure in Attivo Cloud should have permissions for creating
policies, creating IAM role, and assigning of policy to the role, in AWS. Before configuring your AWS
account in Attivo Cloud, you must complete the below tasks:
• Download permissions in Attivo Cloud.

• Create a policy in AWS by adding the above permissions.

• Create a role and assign the above policy.

Downloading permissions in Attivo Cloud

Download the permissions (JSON file) from Attivo Cloud to assign it to a policy.
Steps:
1 Login into Attivo Cloud.

2 Click Configuration | Cloud | AWS | Account Configuration.

Step 1 Configure the AWS details for Cloud Decoys page is displayed.

3 Click Download Permissions File button.

The aws-permissions.json file gets downloaded. Make a note of the file downloaded location.

Creating policy in AWS

A policy in AWS defines the AWS permissions that you can assign to a user, a group, or to a role. You
can create a policy under IAM service in AWS.
Steps:

Attivo Cloud User Guide 19

3 Cloud accounts in Attivo Cloud
Configuring your AWS account in Attivo Cloud

1 Log in into your AWS account. This is the same account which you are going to configure in Attivo
Cloud.

2 Click Services, navigate to Security, Identity, & Compliance section from the list of services
displayed. Alternatively, search for IAM in the Search box and select IAM option.

IAM Dashboard is displayed.

3 Under Access Management, click Policies and then click Create policy.

Create policy page is displayed.

4 Click the JSON tab, select all the existing content present in the JSON editor and delete it.

5 Navigate to the folder location where the aws-permissions.json file is present and open it.

6 Copy the entire content and paste it in the JSON editor.

7 Click Review policy.

Review policy page is displayed.

20 Attivo Cloud User Guide

 Cloud accounts in Attivo Cloud
Configuring your AWS account in Attivo Cloud 3

8 Enter a name for the policy.

9 Optionally enter a description.

Based on the permissions defined in the JSON editor, the Summary section displays the list of
following services: CloudFormation, CloudWatch Logs, DynamoDB, EC2, IAM, Lambda, RDS, and S3.

10 Click Create policy.

The policy gets created.

Creating IAM role and assigning policy in AWS

IAM role in AWS is used to control, who is authenticated and authorized to use the AWS resources. You
must create an IAM role for Attivo Cloud and attach the policy you created before. Recall that the policy
is attached with the permissions (JSON) file having read only permissions to your cloud services.
Steps:
1 In AWS, navigate to IAM Dashboard (Services | Security, Identity, & Compliance | IAM).
Alternatively, search for IAM in the Search box and select IAM option.

IAM dashboard is displayed.

2 Under Access Management, click Roles and then click Create role.

3 In the Create role page, click Another AWS account.

Attivo Cloud User Guide 21

3 Cloud accounts in Attivo Cloud
Configuring your AWS account in Attivo Cloud

4 Enter the ID of Attivo Cloud’s AWS account.

Note: Since, Attivo Cloud needs read only access to your AWS environment, you need to provide the ID
Attivo Cloud’s AWS account which will assume this role. The account information will be provided by
Attivo.

5 Select the Require external ID option.

This is useful when another AWS account wants to assume this role. Assuming of a role means,
asking for Security Token Service (STS) of a role that needs to be assumed.

Note: Since Attivo Cloud is required to assume this role. You must select this option and enter the
external ID that is displayed by default in AWS Account Configuration page in Attivo Cloud.

6 Click Next: Permissions.

7 In the Attach permissions policies page, search for the policy you created before and select it to
attach it to the role.

8 Set the required permissions boundary option.

9 Click Next: Tags.

10 Add the tags if required and click Next: Review.

11 In the Review page, enter a name for the role, optionally enter a description.

12 Verify the values in the Trusted entities, Policies, and Permissions boundary fields.

13 Click Create role.

Role gets created with the Permissions policy attached.

14 Search for the newly created role in the Roles page, open it and copy the ARN to enter it while
configuring the AWS account in Attivo Cloud.

Configuring AWS account in Attivo Cloud

Recall that, to provide Attivo Cloud, the read only access to your AWS services, you need to configure
your AWS account in Attivo Cloud.
Before you begin:
• You have created a permission policy for Attivo Cloud.

22 Attivo Cloud User Guide

 Cloud accounts in Attivo Cloud
Configuring your AWS account in Attivo Cloud 3

• You have created a role for Attivo Cloud and attached the above policy to the role.

• You have copied the Role’s ARN to enter it in Attivo Cloud.

Steps:
1 In Attivo Cloud, click Configuration | Cloud | AWS | Account configuration.

Enter the details in the corresponding fields.

Field Description
Name Enter a name for the AWS account. This is for reference in Attivo Cloud.
AWS Account ID ID of the AWS account in which you want to provide Attivo Cloud the read only access to
various services.
Role ARN ARN of the role which you copied after creating the role.
AWS External ID This field displays a unique ID by default. This is generated by Attivo Cloud.

2 Click Save.

The AWS account gets added in Attivo Cloud.

3 If required, you can enable track changes for the IDEntitleX feature by clicking Configure Now
present inside IDEntitleX box. When you click Configure Now, the IDEntitleX Configuration
dialog is displayed. You can enable/disable the track changes and click Save.

4 If required, you can deploy the already configured AWS decoys under Decoys box.

• To deploy the AWS decoys, click Deploy. You will be directed to the AWS Decoy Deployment page.
Click Review/Deploy and deploy Azure decoys.

5 Click Add Another and repeat the above steps to add one more AWS account, if required.

• Click Update if you have modified the details of an AWS account.

• To remove the AWS account, click Remove.

Configuring Decoy Logging

You can configure your existing Cloud Watch Log Group in Attivo Cloud to monitor, store and access the
log files of various AWS resources. Attivo Cloud accesses CloudWatch logs to fetch details about the
access of deceptive resources.
Steps:
1 In Attivo Cloud, click Configuration | Cloud | AWS | Account configuration.

2 Under Decoy Logging section, enter the name of CloudWatch Log Group Name and click Save.

Note:
• The CloudWatch Log Group Name entered here must exist in AWS accounts already.

• Once the details under Decoy Logging section are saved, the CloudWatch Log Group Name field
will be displayed as view-only and you are not allowed to change it. To change the CloudWatch Log
Group, you must delete all the existing AWS accounts and add them again with the required
CloudWatch Log Group Name.

Viewing and configuring AWS decoys

After adding your AWS accounts in Attivo Cloud, you can click Save & continue button to move to the
next step where you can view and configure the AWS cloud decoys.

Attivo Cloud User Guide 23

3 Cloud accounts in Attivo Cloud
Configuring your AWS account in Attivo Cloud

Therefore, apart from configuring your AWS cloud decoys from Configuration | Cloud | AWS | Decoy
Configuration page, you can also configure them while viewing them in Configuration | Cloud |
AWS | Account Configuration | Configure the decoy AWS resources page.
Before you begin:
We assume that you are currently in Configuration | Cloud | AWS | Account Configuration page.
Steps:
1 Click Save & Continue button.

Configure the decoy AWS resources page is displayed.

2 Select the required AWS user account.

3 Configure the decoys for Access key, S3 bucket, Serverless - Lambda Web App, Dynamo DB, and,
Lambda function services as per your requirement.

Notes:

• You can either choose to configure the decoys (custom) for each of the service or use the default
decoys. Default decoys are nothing but the pre-defined decoys generated by Attivo Cloud.
• To add default decoys for the services you just need to click ‘+’ icon present for each of the service.
Each time you click + icon for a service, it increments the default decoy number by 1. To decrease
the number default decoys, you need to use - icon.

• You can add up to 5 default decoys for each of the services.

• For the first time, the default decoy value will be displayed as 0 for each of the service. It indicates
that no default decoys have been configured and the status will be displayed as Nothing
Configured. You can either add a default decoy for the resource by clicking + icon or add a custom
decoy by using Configure Now button. You can configure as many custom decoys as you want.

• For each of the service, you can see a numeric value which indicates that, those many number of
default decoys will be deployed in your Azure environment. For example, if it displays 2 for the
service ‘S3 Bucket’, then it means that 2 default S3 Buckets are configured for deploying.

• If the value is 0, then it means that no decoys have been configured for the service and the status
is displayed as Nothing Configured. To add a default decoy for the service you can just click + icon,
or to add a custom decoy you can click Configure Now button.

• For an existing configured service, you can edit or review it using Edit/Review button.

• At least one Access Key and S3 Bucket should be configured first to continue with deploying of
cloud decoys.

For detailed information about configuring decoy for each of the supported AWS services, see
Configuring AWS cloud decoys.

4 Once you configure the AWS cloud decoys, you must click Review/Deploy button continue with
deployment. See Reviewing and deploying AWS cloud decoys.

Reviewing and deploying AWS cloud decoys

This section details about reviewing the cart which displays the summary of: the subscription, resource
group, and the configured decoy resources. It also details how to deploy the decoy services in your
AWS environment.
Before you begin:
• We assume that you are currently in Configure the decoy AWS resources page.
Steps:
1 Click Review/Deploy button.

Review cart page is displayed with the summary of:

24 Attivo Cloud User Guide

 Cloud accounts in Attivo Cloud
Configuring your AWS account in Attivo Cloud 3

• the account in which the decoy services will be deployed.

• list of services configured for deployment.

• Stack details (name and region).

Note: Attivo cloud generates a unique Stack name and displays it under Stack details section. The
same stack will be launched to deploy the decoy services in your cloud environment.

2 Review the currently configured services. To edit the services, you can click Back button to return to
the previous page.

3 If required, change the region using the drop down option present in Region field.

4 Once you are done with reviewing the cart, click Next/Launch Stack.

You will be directed to AWS.

• If you have already logged into AWS, then you will be directed to CloudFormation > Stacks >
Create Stack page directly.

• If you have not logged into AWS, then AWS login page is displayed. On logging into AWS. You will
be directed to CloudFormation > Stacks > Create stack page directly.

Under Prerequisite - Prepare template section, Template is ready option is selected by

default.

Under Specify template section, Amazon S3 URL option is selected by default.

5 Click Next.

Specify stack details page is displayed. Stack name is picked by default.

Note: Do not modify the stack name as it is retrieved from the Review/Cart page and modifying it may
impact decoy deployment.

6 Click Next.

Configure stack options page is displayed.

Do not modify any of the details displayed under Tags, Permissions, and Advanced options
(Stack policy, Rollback configuration, Notifications options, and Stack creation options).

7 Click Next.

Review stack page is displayed with the summary of what all options were selected in the
previous pages.

8 Under Capabilities and transforms section, select all the three options and click Create Stack
button.

You will be proceeded to the next page where you can see the stack creation status as
CREATE_IN_PROGRESS. Meanwhile in Attivo Cloud (Analysis | Cloud | AWS | Dashboard),
You will see the status of decoy creation as ‘Decoy creation is in progress’.

It will take few minutes for the stack to get created. Once created, you will see the status as
CREATE_COMPLETE.

This confirms that the stack was successfully created. At the same time, you can see the stack
creation status as Decoy creation is completed successfully in Attivo Cloud.

Attivo Cloud User Guide 25

3 Cloud accounts in Attivo Cloud
Configuring your Microsoft Azure account in Attivo Cloud

Configuring your Microsoft Azure account in Attivo Cloud

To configure your Microsoft Azure account in Attivo Cloud, it requires to capture the details of the
following: Azure Tenant ID, Azure Subscription ID, Azure Client ID, and Azure Client Secret. By using
these details, you can configure and deploy cloud decoys in your Azure environment.
Azure Tenant ID
Tenant ID is a global unique identifier of Azure AD instance.
A tenant represents an organization. It’s a dedicated, trusted, and single instance of Azure Active
Directory. The Azure AD is created when an individual or an organization signs up for Microsoft Azure
Cloud services.
• Azure AD is trusted to authenticate and manage users, groups, services, permissions, and devices.

• Azure AD tenants can be associated with multiple subscriptions, but a subscription can only be
associated with a single tenant.

• Each directory may contain one or more domains and it can be associated with multiple subscriptions,
but only one tenant.

There are few ways to find the tenant id for your subscription and below mentioned is one of them:
In the Azure portal, select Azure Active Directory from the left navigation panel.

Azure Subscription ID
Subscription ID is a global unique identifier that uniquely identifies your subscription to use Azure
services.
• A subscription is a logical grouping of Azure services that is linked to an Azure account. A single Azure
account can contain multiple subscriptions.

26 Attivo Cloud User Guide

 Cloud accounts in Attivo Cloud
Configuring your Microsoft Azure account in Attivo Cloud 3

• Every Azure subscription has a trust relationship with an Azure AD instance. This means that it trusts
that directory to authenticate users, services, groups, and devices. Multiple subscriptions can trust
the same directory, but a subscription trusts only one directory. A single subscription can be
associated with only one tenant.

• Billing for Azure services is done on per-subscription basis. Each subscription contains various
resource groups. A Resource group is a logical container which contains a set of resources or all of
the resources which you can manage, deploy, and maintain them as a single entity. Using Attivo
Cloud, you can deploy decoys for the resources such as, Blob Storage, File Storage, Cosmos DB, Azure
Function App, and Web App.

• To deploy the decoys in multiple resource groups which are associated with different subscriptions,
then you need to identify those resource groups and configure the corresponding Subscription IDs
that many times in the Azure account configuration page. While deploying the decoy resources, you
need to select the corresponding subscription and the resource group.

To find the Subscription ID in your Azure account, access the Subscriptions shortcut link in the Azure
portal home page. List of all the Subscriptions present in the account are displayed. You will find the
Subscription ID displayed for each of the Subscriptions listed.

Azure Client ID
In order to provide Attivo Cloud the read only access to your Azure Cloud resources, you need to have
one Azure AD application (app) created in Azure portal for Attivo Cloud and have it registered under the
same tenant (whose ID is specified in the Account configuration page).
• On registering the app, an identity is created for the app which is known as service principal. This will
be automatically created when the application gets registered. This is the ID you need to enter in
Azure Cilent ID field in the Azure account configure page.

• You also need to assign the above app to a role in your subscription whose ID you are going to specify
in the Subscription ID field. This role should be off Reader who can only view your Azure Cloud
resources. Recall that, you can deploy decoys for Blob Storage, File Storage, Cosmos DB, Azure
Function App, and Web App resources.

To find the Client ID in Azure portal, click the Menu icon and select Azure Active Directory. In the left
navigation panel, select App registrations to view the list of all the registered applications. Copy the
Application (Client) ID displayed for the app you registered for Attivo Cloud before and store it.

Attivo Cloud User Guide 27

3 Cloud accounts in Attivo Cloud
Configuring your Microsoft Azure account in Attivo Cloud

Client Secret
This is the secret which will be known only to the registered app and the authentication server.

Note: Make sure you have generated the client secret for the above app and copied the secret value which
will be used by the app for its identity.

To view the Client secret for the above registered app,

1 In Azure portal, navigate to App registrations page, click on the Display name of the registered
app to open it.

App details page is displayed.

2 Click Certificates & secrets in the left navigation panel.

Certificates & secrets page is displayed.

3 Under Secret section, you can view the secret value under Value column for the registered app. This
is the value you need to enter in the Azure Account Configuration page.

Configuring your Azure account in Attivo Cloud

Before you begin:
• You have the Tenant ID.

• You have the ID of the Subscription which is associated with the above Tenant.

• You have registered the application for Attivo Cloud and assigned the application to the above
Subscription.

• You have the Client ID and the Client Secret of the registered app.
Steps:
1 Login into Attivo Cloud.

2 Click Configuration | Cloud | Azure | Account configuration.

3 Enter the details in the corresponding fields.

28 Attivo Cloud User Guide

 Cloud accounts in Attivo Cloud
Configuring your Microsoft Azure account in Attivo Cloud 3

Field Description
Name Name of the Azure account.
Directory (tenant) ID) Tenant ID of your Azure account.
Application (client) ID Client ID of the application which is registered for Attivo Cloud.
Client Secret Value The Client secret value you copied from the registered application.

4 Click Save.

5 If required, you can enable data synchronization for ADAssessor and IDEntitleX features. You can
also configure/deploy the Azure decoys.

• To enable data synchronization for ADAssessor and IDEntitleX features, click the enable/disable
switch present in each of the features.

• When you click Save after entering the Azure account details, the first synchronization is
triggered automatically for ADAssessor and IDEntitleX features. To synchronize the data later,
you can click the sync icon present in the ADAssessor and IDEntitleX features.

Note: The sync action synchronizes the identities, resources, and entitlements from the corresponding
account. The synchronizing time depends on the number of objects being retrieved. For a small
account, it may take a few minutes, and for a large account, it may take several hours.

• You can enable track changes for the IDEntitleX feature by clicking Configure Now present
inside IDEntitleX box. When you click Configure Now, the IDEntitleX Configuration dialog is
displayed. You can enable/disable the track changes and click Save.

• Also, you can configure Azure decoys newly or deploy the already configured Azure decoys under
Decoys.

• To configure Azure decoys, click Configure Now. You will be prompted to enter the Azure
Subscription ID. Enter the Azure Subscription ID and click Save.

• To deploy the already configured Azure decoys, click Deploy present inside Decoys box. You
will be directed to Azure Decoy Deployment page. Click Review/Deploy to deploy the Azure
decoys.

6 Click Add Another and repeat the above steps to add more Azure accounts.

• Click Update if you have modified the details of an Azure account.

• To remove the Azure account, click Remove.

Viewing and configuring Azure cloud decoys

After adding your Azure accounts in Attivo Cloud, you must click Save & continue to move to the next
step where you can view and configure the decoys.
Therefore, apart from configuring your Azure decoys from Configuration | Cloud | Azure | Decoy
Configuration, you can also configure them while viewing from Configuration | Cloud | Azure |
Account Configuration page.
Before you begin:
• It is assumed that you are currently in Configuration | Cloud | Azure | Account Configuration
page.

• You have identified the resource groups in which you want to deploy the decoy resources and have
configured the required Subscription IDs in the Azure Account Configuration page.

Note:

Attivo Cloud User Guide 29

3 Cloud accounts in Attivo Cloud
Configuring your Microsoft Azure account in Attivo Cloud

• While deploying the Azure decoy resources, you need to select the required subscription and the
resource group.

• To deploy the decoys in each of the Resource Groups present within a Subscription, you need to
select the Resource Group separately every time.
Steps:
1 Click Save & Continue button.

You will be directed to Configure Your Cloud Decoys page. This is the same page which is
displayed when you navigate through Configuration | Cloud | Azure | Decoy Configuration. For
the detailed information about configuring decoys for each of the supported Azure resources, see
Configuring Azure cloud decoys

2 Select the required subscription under Select Subscription section.

3 Select the required resource group under Select Resource Group section.

You can view the cloud decoys under Deception Configuration section.

Notes:

• You can either choose to configure the decoys (custom) for each of the resource or use default
decoys. Default decoys are nothing but the pre-defined decoys generated by Attivo Cloud.

• To use default decoys for the resources you just need to click ‘+’ icon present for each of the
resource. Each time you click + icon for a resource, it increments the default decoy number by 1.
To decrease the number of default decoys, you need to use - icon.

• You can add up to 5 default decoys for each of the resources.

• For the first time, the default decoy value will be displayed as 0 for each of the resource. It indicates
that no default decoys have been configured and the status will be displayed as Nothing
Configured. You can either add a default decoy for the resource by clicking + icon or to add a
custom decoy, you can use Configure Now button. You can configure as many custom decoys as
you want.

• For each of the resource, you can see a numeric value which indicates that, those many number
of default decoys will be deployed in your Azure environment. For example, if it displays 2 for the
service ‘Blob Storage’, then it means that 2 default decoy Blob Storages are configured for
deploying.

• If the value is 0, then it means that no default decoys have been configured for the resource and
the status is displayed as Nothing Configured. To add a default decoy for the resource, you can
just click + icon, or to add a custom decoy you can click Configure Now button.

• For an already configured resource, you can review or edit it using Edit/Review button.

4 Once you review all the configured resources, you need to click Review/Deploy button to continue
with deploying of the resources.

Reviewing and deploying Azure cloud decoys

This section details about reviewing the cart which displays the summary of: the subscription, resource
group, and the configured decoy resources. It also details how to deploy the decoy resources in your
Azure environment.
Before you begin:
• We assume that you are currently in Configure the decoy Azure resources page.
Steps:
1 Click Review/Deploy button.

Review cart page is displayed with the summary of:

30 Attivo Cloud User Guide

 Cloud accounts in Attivo Cloud
Configuring your Microsoft Azure account in Attivo Cloud 3

• the subscription selected.

• the resource group selected

• list of resources configured for deployment.

2 Click Next/Launch Stack. If you require to add or modify the configurations, you can use Add more
button.

• A Shell script file gets downloaded and a dialog displaying further steps is displayed. The name of
script file consists of the subscription id, resource group name and the region.

• You need to launch Azure Shell and upload the downloaded shell script file. You need to navigate
to the file location and run the command bash <filename>.

3 In the Next Steps dialog, click Click here link to launch Azure shell on the browser.

You can also use the Azure CLI, if you have already downloaded it in your system.

4 Select Bash shell from the drop down.

Note: Execution of the shell script file in PowerShell is not supported currently.

5 Navigate to the directory where you have downloaded the shell script and run ls command to view
the list of files present in the directory.

6 Run the bash command as shown below.

bash <filename>

Deployment of decoy resources gets initiated. You can view the following statuses about
deployment in Attivo Cloud Azure Dashboard (Analysis | Cloud | Azure | Dashboard). You need
to select the corresponding Azure account and the region.

• Un-initialized

• Template generation initiated

• Decoy template creation in-progress

• Template creation completed

7 Once the decoy deployment is successful, you will see the status as Template creation completed. You
can also verify the same by navigating to the resource group in your Azure account. You will see the
status as Decoy deployment complete.

This concludes that the decoy deployment in Azure is complete and you can start monitoring your
deployed Azure resources.

Attivo Cloud User Guide 31

3 Cloud accounts in Attivo Cloud
Configuring your Microsoft Azure account in Attivo Cloud

32 Attivo Cloud User Guide

4 ADAssessor

ADAssessor is designed to proactively learn and analyze your AD infrastructure. ADAssessor provides
an overview of the entire AD landscape as well as assesses the Active Directory data and configuration
for attacks, exposures, and misconfigurations. ADAssessor presents information using infographics
about your AD environment from both an IT and security perspective.
ADAssessor and ADSecure-EP
Though ADAssessor is designed to complement ADSecure-EP, both the features function independent of
each other. For example, ADAssessor displays the count of domain controllers, users, and computers in
your network. If protecting unmanaged service accounts is important to you, then you can see the total
count of unmanaged service accounts in each domain. Then, you can start protecting them using
ADSecure-EP.
ADAssessor and ThreatPath
ThreatPath displays lateral-movement paths (including shortest paths to valuable assets like domain
controllers), cached credentials, and details of high-valued AD objects such as privileged accounts,
service accounts, and delegated (or shadow) admins. However, the ADAssessor provides the details of
domain trusts, domain controllers in each domain, computer objects, and more importantly assessment
of a long list of exposures. Therefore, ADAssessor does a more holistic and detailed assessment
compared to the AD-related exposures displayed in ThreatPath.

Summary of how ADAssessor works

Primarily, ADAssessor has two parts to it:
• Attivo Cloud, where you configure the domains to be assessed. Attivo Cloud then queries your AD,
analyzes the collected data, and presents the results of the analysis.

• Attivo CloudLink, which is a lightweight process running on any one domain-joined Windows endpoint.
Attivo CloudLink acts as the gateway between Attivo Cloud and the resources in your network such
as the domain controllers, SIEM, syslog servers, and so on.

To detect certain threats, Attivo CloudLink too queries your AD and uploads just the required data
to Attivo Cloud for further analysis and reporting.

Note: Managed endpoints are those on which you have installed Attivo Endpoint Application (for EDN).
You can migrate the CloudLink functionality to any one of the managed endpoints, if that endpoint is a
domain-joined Windows endpoint. Then, this managed endpoint functions as the Attivo CloudLink in
addition to implementing the EDN features.

ADAssessor has the following two functions:

• Exposure Detection: This is the default functionality, wherein Attivo Cloud queries the AD at 4 am UTC
Saturdays for certain data. Then, it checks for weak policy settings, misconfigurations, and
vulnerabilities.

• Threat Detection: This is an additional feature, which is disabled by default. If you enable it, Attivo
Cloud continuously assesses changes to AD user objects and reports threats and risky practices.

Attivo Cloud User Guide 33

4 ADAssessor
Summary of how ADAssessor works

Important:
You cannot enable just the Threat Detection without Exposure Detection.

The ADAssessor Dashboard and Exposures tab display the detected exposures but not the threats. For each
threat an event is raised, which you can view at Analysis | Events. See How to view the threat details?

Exposure Detection
Using the credentials you specify, Attivo Cloud queries the AD (through Attivo CloudLink) for the
following:
• Domain controllers, users, and computers in the domain.

• Details of other domains in the forest and trusted domains outside the forest.

• Data required to assess for exposures. This can include misconfigurations, weak policy settings, and
vulnerabilities.

Attivo CloudLink then sends the queried data back to Attivo Cloud, where it is analyzed and presented
in the UI. Attivo CloudLink establishes a 2-way persistent and secure communication channel with
Attivo Cloud routing data between Attivo Cloud and your network.

Note: Attivo Cloud assesses the domains you specify. It also discovers other domains in the forest and
trusted domains outside the forest. If configured to do so, Attivo Cloud can assess the sub-domains of the
domains you specify.

Consider the following illustration to understand how ADAssessor functions.

34 Attivo Cloud User Guide

 ADAssessor
Summary of how ADAssessor works 4

Item Description
1 To communicate with resources in your network, Attivo Cloud uses an endpoint which runs
the Attivo CloudLink process. There is a persistent, 2-way communication channel between
Attivo CloudLink and Attivo Cloud. Attivo Cloud sends the queries to AD through this
channel. Similarly, it receives the response from the AD as well through this channel.
2 Consider that a laptop belonging to winter.com is running Attivo CloudLink process
currently. In Attivo Cloud you have to provide the credentials of a user belonging to
winter.com or spring.com (any root domain in the same forest). This user just needs to
have read-only access in the corresponding domain and access to WinRM on the domain
controllers. You must provide the credentials of a root domain and not a child domain
because Attivo Cloud queries for objects like schema admins and domain admins.
Attivo Cloud queries the domain controllers of winter.com to:
• Discover other domains (trusts).
• Discover the AD objects of winter.com.
• Collect data required to assess for exposures.
3 If you enable querying of child domains, then Attivo Cloud queries the domain controllers
of the two child domains of winter.com as well.
4 Because spring.com is in the same forest, Attivo Cloud can query the domain controllers
of spring.com and its child domains based on how you configure.
5 Note that there is a one-way trust between spring.com and summer.com. Therefore, Attivo
Cloud can discover summer.com (but not its child domains). However, for Attivo Cloud to
assess summer.com, you must do the following:
• You must configure one more record with the details of winter.com but also enable
Access Over Trust option. Then, Attivo Cloud can query summer.com with the
credentials of winter.com itself.
• The endpoint which runs Attivo CloudLink must be able to resolve summer.com and be
able to reach the domain controllers of summer.com.

Threat Detection
In addition to Exposure Detection, you can enable Threat Detection. Threat Detection involves
detecting certain malicious activities, risky practices, and attacks such as brute-force and password
spray attempts. This visibility enables you to prevent late-stage attacks and even Denial-of-Service
condition. Desperate attackers may attempt DoS by large-scale disabling of user accounts.
To detect threats, ADAssessor assesses changes in your AD infrastructure in real-time or near-real-
time. ADAssessor does not use any administrative tools on the DCs, nor does it cause any adverse
impact on your AD or network. It uses Change Notifications mechanism in AD DS to receive continuous
updates on changes to AD objects. Then the ADAssessor module of Attivo Cloud uses complex
algorithms to distinguish legitimate and malicious changes and raises events accordingly.
How does ADAssessor module receive Change Notifications?
To use the Change Notifications mechanism, Attivo CloudLink registers itself as a client for Change
Notifications with the primary domain controller (PDC). If PDC is unreachable, then Attivo CloudLink
subscribes to one of the backup domain controllers (BDC). At any point in time, Attivo CloudLink
subscribes for Change Notifications only with one DC in a domain.
Attivo CloudLink filters the AD data and uploads just the required attributes to Attivo Cloud. Therefore,
there is never any adverse impact on your network resources. For the detected threats, Attivo Cloud
raises events with the details, including the mitigation steps.
Note the following:
• AD Change Notifications requires a persistent LDAP connection (port 389 or 636) between the client
(Attivo CloudLink) and the PDC. Make sure this connection is allowed by all the relevant endpoint and
network security applications like internal firewalls and Intrusion Prevention Systems (IPS).

• Once in two minutes, Attivo CloudLink checks if this connection is up. If this connection is down, it
retries with the PDC. If this retry fails, then it tries with the other BDC.

Attivo Cloud User Guide 35

4 ADAssessor
Summary of how ADAssessor works

• As part of the scheduled update (4 am UTC on Saturdays), Attivo Cloud receives the list of DC in each
domain. Therefore, any changes to the DC list is taken into account on a weekly basis.

• If Attivo CloudLink is unable to subscribe to Change Notifications with any of the DC for more than an
hour, then it queries for the DC list to account for changes.

• Migration of CloudLink functionality to a different endpoint is seamless and has no impact on Threat
Detection.

Threats detected by ADAssessor

Following are some of the real-time threats that ADAssessor detects:
• Brute force attack - Password spray

• Reactivation of Disabled Privileged Accounts

• Brute force attack - Mass Password Reset

• Brute force attack - Mass Account Lockout

• Brute force attack - Mass Account Disabling

• Brute force attack - Mass account deletion

• Suspicious password change detected - This applies to privileged users and unmanaged service
accounts. ADAssessor distinguishes legitimate password changes and reports only the suspicious
ones.

• Suspicious Service Creation on Domain Controller.

• Default Admin Account Usage - ADAssessor queries the AD to detect if the default administrator
account (administrator@acme.com for example) has been used successfully anywhere in the domain.
Except for recovery purposes, using the default administrator account must be discouraged.

ADAssessor uses various algorithms internally to detect these threats. In the case of password-spray
attacks for example, attackers gather required information like the probable Account Lockout Policy
settings. Then, they time the attempts accordingly to circumvent the security measures. However, the
algorithms factor in many such possibilities to detect the threats in a timely and accurate manner.
How to view the threat details?
You can view the description, mitigation steps, and reference material of each detected threat.
1 Go to Analysis | Events.

2 Click on the search tab, select Feature | ADAssessor | Apply.

The threats detected by ADAssessor for the specified time period are displayed.

3 Click on the horizontal ellipsis of a threat and click Details View.

The details are displayed in a card view.

4 Click on the threat name to view the details.

36 Attivo Cloud User Guide

 ADAssessor
Purpose and benefits of ADAssessor 4

Purpose and benefits of ADAssessor

The primary purpose of ADAssessor is to provide you an outline of the AD landscape, count of critical
AD objects, as well as enable you to discover and remediate the exposure in your AD infrastructure. As
discussed in the earlier sections, you can also enable threat detection.
Information from ADAssessor provides the following benefits:
• A panoramic view of the entire AD landscape along with the count of various AD objects in each
domain is available to the security team. This provides the visibility of the very assets that you intend
to protect.

• With the count of critical AD objects in each domain available, you can plan your ADSecure-EP
configuration accordingly. For example, you can know the count of domain controllers in each domain
that you need to protect. When new domain controllers are added, Attivo Cloud factors them in the
count of unprotected domain controllers, which can draw your attention. Thus you can constantly
monitor the attack surface and take steps to reduce it.

• With the predominant exposures in your AD infrastructure called out, you can now know where to
start as you secure your AD infrastructure. You can triage the exposures and prioritize remediation
tasks.

• For the applicable exposures, ADAssessor provides the mitigations steps as well. You can trigger
analysis again to make sure the exposure is successfully removed. Thus, you can reduce the attack
surface considerably.

• By removing the detected exposures, you can preempt attacks like privilege escalation, lateral
movement, and exploitation of weak group policies and unchanged passwords, and so on.

• If Indicators of Compromise (IOC) are reported, you can use the AD topology and the AD objects
displayed for each domain to investigate the methodology used and prevent further damage.

• Real-time monitoring and analysis to detect advanced brute force and DoS attempts in the early phase
itself. ADAssessor does real-time detection with just the data from the AD, without the need for any
tools installed on the AD, and without any impact on your AD infrastructure or network.

Requirements and considerations

Review this section before you configure ADAssessor.

Requirements
The following are the requirements for Attivo CloudLink. This section does not cover the requirements
for EDN functionality of Attivo Endpoint Application. For example, EDN functionality is supported on
Windows 7, 8, and 8.1 whereas Attivo CloudLink is supported only from Windows 10.
• The endpoint on which you install Attivo CloudLink must meet the following minimum requirements:

• An AD-joined endpoint running Windows 10 64-bit or higher or Windows Server 2012 R2 or higher

• 4-core CPU

Attivo Cloud User Guide 37

4 ADAssessor
Requirements and considerations

• 8 GB RAM

• 1 GB free space in the hard disk

• 5 Mbps Internet connectivity

• Connectivity to cloud.attivonetworks.com:443 and api-cloud.attivonetworks.com:443

Make sure traffic to these 2 domains are not blocked by your network and security applications
like proxy servers, network gateway, and firewalls.

• You need local administrative privileges to install Attivo CloudLink on an endpoint.

• The ADAssessor module uses LDAP, SMB, and WinRM to query the AD. For this Attivo Cloud needs
only a standard user account with read-only privileges to the AD. Also, this account must have
privileges to access WinRM on the domain controllers. For information on how to enable WinRM
privileges for a user, see WinRM access to Domain Controller.

To assess the entire forest, recommend that you provide a root-domain name and a user account
that belongs to that root domain.

• Communication between Attivo Cloud and your network resources is through the 2-way secure and
persistent communication channel between Attivo CloudLink and Attivo Cloud. Refer to the URLs in
the first point. This channel is over TCP port 443. Therefore, make sure your security applications are
configured to allow this traffic between Attivo Cloud and the endpoint on which Attivo CloudLink is
installed.

• Attivo CloudLink must have access to DNS to resolve the corresponding forest and domain names.

• Make sure the following protocols (and corresponding ports) are allowed by the network and endpoint
security applications:

• DNS (53)

• Kerberos TCP (88)

• LDAP (389/636)

• SMB (445)

• WinRM (5985/5986)

WinRM pre-requisites
This section explains the WinRM-related pre-requisites for ADAssessor to work.
WinRM access to Domain Controller
ADAssessor use WinRM protocol along with LDAP & SMB to connect to the Domain Controllers to detect
certain exposures. WinRM is enabled by default on all Windows Servers by Microsoft unless explicitly
disabled.
Attivo ADAssessor is designed to connect to the Domain Controller over WinRM in the most secure
method, we support WinRM connection to Domain Controller over HTTP (5985) & HTTPS (5986).
Our recommendation is to use WinRM over HTTPS for the most secure communication between
CloudLink and Domain Controller. For added layer of security we use Kerberos Authentication to
authenticate to the Domain Controller for WinRM HTTP & HTTPS.
ADAssessor connects to the Primary Domain Controller in each Domain to detect the exposures, the
PDC in each Domain should allow WinRM connectivity for all the Exposures to complete successfully.
WinRM over HTTPS
Pre-requisites:
Domain Controller
• Domain Controller should have a Certificate (We can use the same certificate that is used for LDAPS)

• The Subject Name of the Certificate should be the Hostname of the Domain Controller.

38 Attivo Cloud User Guide

 ADAssessor
Requirements and considerations 4

• Configure WinRM for HTTPS

• Run the command “winrm quickconfig -transport:https”

• Validate the HTTPS Listener is created, and the right Certificate is bound to the listener.

• To validate the listener configuration, use the command “winrm enumerate winrm/config/listener”

• Sample Output, Validate the information highlighted in yellow.

• Allow Read & Invoke Permission for the User Account Configured in Attivo Manager AD Configuration.

• Run the command “winrm configsddl default”

• Add the user account and provide Read & Invoke Permission

• Add the user account to “Remote Management Users” Group

• Create Firewall Rule inside the Domain Controller.

• We must enable traffic over 5986 through Windows Firewall.

• Open Windows Firewall with Advanced Security

• The icon for Windows Firewall with Advanced Security.

• Navigate to Inbound Rules | New Rule…

• In the Wizard select Port, TCP, 5986, Allow the connection, leave all network profiles selected, and
name it WinRM HTTPS. The rule will look something like this:

Attivo Cloud User Guide 39

4 ADAssessor
Requirements and considerations

WinRM over HTTP

ADAssessor allows WinRM over HTTP. HTTP should be used only in scenarios where Domain Controllers
do not have a certificate configured. WinRM over HTTP only supports unencrypted connection, Though
the connection is unencrypted because we use Kerberos Authentication the GSS-API Security context
encrypts the authentication data anyways and the communication is secure.
Domain Controller
• Set AllowUnencrypted false to True

• Run the command “winrm set winrm/config/service @{AllowUnencrypted = "true"}

Additional requirements and considerations for Threat Detection

• AD Change Notifications requires a persistent LDAP connection (port 389 or 636) between the client
(Attivo CloudLink) and the PDC. Make sure this connection is allowed by all the relevant endpoint and
network security applications like internal firewalls and Intrusion Prevention Systems (IPS).

Change Notifications is a native feature of Windows AD. It sends updates right when changes are
made. Also, Attivo CloudLink filters and uploads just the required attribute values. Therefore, there
is no adverse impact to your AD or network infrastructure.

• By default, Threat Detection is disabled. You can enable it for the required AD (Configuration |
Active Directory | AD Configuration).

When you enable Threat Detection for a domain, Attivo Cloud collects the user objects with the
required attribute values for its analysis. This process can take several minutes. The time taken
depends on the number of user objects and the number of domains (if Include All Domains is
selected). The Sync Status column in the Active Directory Configuration page displays the status -
failed, pending, or completed.

Important: The sync is an one-time process. Pending indicates the sync is in progress. During this time,
just the Threat Detection for the corresponding domains is suspended. There is no other impact on
ADAssessor functionality. However, refrain from making any changes to the AD Server record in the Attivo
Cloud UI when Sync Status is in pending state.

• If you disable Threat Detection, the synced user objects in Attivo Cloud is deleted. Then the Sync
Status shows NA. If you enable again, the sync happens again, which can take several minutes as
discussed previously.

• All authenticated users in AD have a set of default permissions on all the other objects. For Threat
Detection, ADAssessor relies on these default permissions.

The default permissions are the following:

• Read general information

• Read public information

• Read personal information

• Read web information

• Read permissions

40 Attivo Cloud User Guide

 ADAssessor
Requirements and considerations 4

If these permissions are missing or not allowed, then the real-time Threat Detection fails.
Therefore, you must allow these default permissions. Alternatively, provide read permission to all
the objects for the user account you provide in Attivo Cloud.

To allow these default permissions, execute the following command on the DC.
“dsacls "DC=<Domain>,DC=<Name>" /I:T /g domainame\username:LCRP”

dsacls Native tool used to read and modify permissions.

"DC=<Domain>,DC=<Name>" Replace with the actual DN of the domain.
/I:T Switch ensures permissions are inherited so that any existing and
future objects can be queried.
/g Switch specifies to grant permissions.
domainame\username Replace with the corresponding domain and account name you specify
in the Active Directory record.
LCRP This switch stands for the permission (List Contents & Read Property).

Note: If you select Include All Domains option in the Active Directory record in Attivo Cloud, then run this
command in all the domains where these default permissions are modified.

• To detect Suspicious Service Creation on Domain Controller, the user account you provide in the AD
server record must be a member of Event Log Readers security group.

For this query, Attivo CloudLink uses WinRM HTTP (port 5985) or WinRM HTTPS (port 5986). Make
sure this connection is allowed by the corresponding network and endpoint security applications.
Attivo CloudLink performs this query at fixed intervals. There is no persistent connection for these
queries.

• To detect Brute force attack - Mass account deletion, the user account you provide in the AD server
record must have read permissions in the deleted objects container.

To allow this permission, execute the following commands in the same order on the DC:

dsacls "CN=Deleted Obects,DC=<Domain>,DC=<Name>" /takeownership

dsacls " CN=Deleted Obects,DC=<Domain>,DC=<Name>" /I:T /g domainame\username:LCRP

dsacls Native tool used to read and modify permissions.

/takeownership This switch is used to take ownership of the container first for the user
executing the command.
"DC=<Domain>,DC=<Name>" Replace with the actual DN of the domain.
/I:T Switch ensures permissions are inherited so that any existing and
future objects can be queried.

Attivo Cloud User Guide 41

4 ADAssessor
Configuring ADAssessor

/g Switch specifies to grant permissions.

domainame\username Replace with the corresponding domain and account name you specify
in the Active Directory record.
LCRP This switch stands for the permission (List Contents & Read Property).

Note: If you select Include All Domains option in the Active Directory record in Attivo Cloud, then run this
command in all the domains where these default permissions are modified.

Considerations
• At a given point in time, there can be only one active Attivo CloudLink per subscription.

The first endpoint on which you install Attivo Endpoint Application is chosen to function as Attivo
CloudLink by default for that subscription. You can also migrate the Attivo CloudLink functionality
to another suitable endpoint.

• The persistent communication channel between Attivo CloudLink and Attivo Cloud uses TLS version
1.2 for encryption. Cipher suites are same as mentioned in the About Attivo Cloud chapter.

• For details on how Attivo Cloud stores the AD data from Attivo CloudLink safe and secure, refer to
Attivo's Cloud Security, Data, and Availability Considerations document. Attivo Cloud stores the data
for up to 7 analysis cycles after which the data is permanently purged from Attivo Cloud. Before they
are purged, you can download the reports to store them for your records.

• For ADAssessor, Attivo Cloud collects certain information from the configured AD. Refer to Attivo's
Cloud Security, Data, and Availability Considerations document for specific information.

• By default, scheduled data collection and analysis happen every Saturday at 4 am UTC. This is not
configurable. At any point, you can trigger data collection and analysis manually by clicking Trigger
Analysis at Analysis | ADAssessor.

• For data related to objects, Attivo Cloud queries just the Primary Domain Controller (PDC). If the PDC
is unreachable, then Attivo Cloud queries the next available domain controller.

• Depending on what data it is querying for, Attivo Cloud uses LDAP, SMB, and the WinRM service on
the domain controllers. For example, the queries related to GPO are through SMB.

Configuring ADAssessor
Configuring ADAssessor consists of the following steps:
1 To use the features of Attivo Cloud you must first deploy Attivo CloudLink.

2 You must configure the AD details and the credentials of a user. Attivo Cloud queries the
corresponding domain controllers to gather data about the AD topology and exposures.

The ADAssessor module uses LDAP, SMB, and WinRM to query the AD. For this Attivo Cloud needs
only a standard user account with read-only privileges to the AD. Also, this account must have
privileges to access WinRM on the domain controllers. For information on how to enable WinRM
privileges for a user, see WinRM access to Domain Controller.

To assess the entire forest, recommend that you provide a root-domain name and a user account
that belongs to that root domain.

42 Attivo Cloud User Guide

 ADAssessor
Configuring ADAssessor 4

Deploy Attivo CloudLink

To deploy Attivo CloudLink for your organization, you must download the Attivo Endpoint Application
and install it on an AD-joined Windows endpoint. When you install Attivo Endpoint Application, the
endpoint establishes contact with Attivo Cloud. The first AD-joined Windows endpoint to do so from
your organization functions as the Attivo CloudLink by default. Then, Attivo CloudLink establishes a
secure and persistent 2-way communication channel between the corresponding endpoint and the
Attivo Cloud. This connection acts as the gateway between Attivo Cloud and your network resources
such as Windows AD, SIEM applications, syslog servers, and so on.
If required, you can migrate the Attivo CloudLink functionality to a different AD-joined Windows
endpoint. At a given point in time, there can be only one active Attivo CloudLink per subscription of
Attivo Cloud.
After you apply a Protection Policy, the configured EDN features also begin to function on the same
endpoint in addition to the Attivo CloudLink functionality. The endpoint creates two different persistent
connections to Attivo Cloud - one for EDN and the other for CloudLink.
Before you begin:
You have local administrative privileges in an AD-joined Windows endpoint. This endpoint is joined to a
root domain in the forest.
Steps:
1 In Attivo Cloud, go to Configuration | Startup Wizard.

2 In the Product Selection page, select ADAssessor and optionally the other options and then click
Get Started.

3 In the Attivo CloudLink page, click Download and allow a few minutes for the installation package to
download and ready to save.

4 Save the installation package when prompted.

You have to now install the Attivo Endpoint binary. You can install it manually on an endpoint or
use a supported endpoint security application such as McAfee ePO or ForeScout CounterACT to
install it simultaneously on multiple endpoints. In this case, the first Windows endpoint which
establishes contact with Attivo Cloud functions as the Attivo CloudLink. If needed, you can migrate
this functionality to a different endpoint.

Note: For Attivo CloudLink, only the Windowssetup.exe file is needed from the installation package.

This section provides the steps to manually install Attivo Endpoint binary. Follow similar steps if
you are using an endpoint security application to install the Attivo Endpoint binary.

5 Log on to the AD-joined Windows endpoint as a user who is part of the local administrators group.
Then, extract the Attivo Endpoint installation package on this endpoint.

Note: To query the AD, Attivo Cloud uses the AD user credentials you will subsequently configure in Attivo
Cloud and not the credentials of the logged on user.

6 Open Windows Command Prompt or Windows PowerShell in administrator mode and change the
directory to the one that contains Windowssetup.exe.

7 Type in Windowssetup.exe /ia /service

Both /ia and /service parameters are required. Attivo CloudLink does not function for current
user (/i) or in non-service mode.

If the traffic to the Internet is forwarded through a HTTP proxy server, then pass the proxy details
using the command-line parameters.

• Use /proxyaddr <IP address:port number> to pass the IP address and port number of the HTTP
proxy. For example: Windowssetup.exe /ia /service /proxyaddr 192.0.2.10:8421

Attivo Cloud User Guide 43

4 ADAssessor
Configuring ADAssessor

• If authentication is mandatory, pass the user name and password as well using the /proxycred
<Username:Password> parameter. For example: Windowssetup.exe /ia /service /proxyaddr
192.0.2.10:8421 /proxycred SampleUserName:SamplePassword.

• Only HTTP proxy is supported (not HTTPS). However, the traffic between Attivo CloudLink and
Attivo Cloud is encrypted.

Verify if Installation for all users completed successfully is displayed in Windows CMD.

8 Click Next in the Startup Wizard.

Until Attivo CloudLink establishes the persistent 2-way connection with Attivo Cloud, the following
message is displayed. It can take a few minutes for the process to complete. Though, you can click
OK to proceed to the next step, the recommendation is that you wait for the process to complete.

When Attivo CloudLink successfully establishes the communication channel with Attivo Cloud, the
following status messages are displayed in the Startup Wizard. The third message also displays the
endpoint, which is currently functioning as the Attivo CloudLink.

The next step is to configure the AD details in Attivo Cloud.

Configure Active Directory server details

This section details how to configure on-premise Active Directory and Azure Active Directory.

Configuring on-premise Active Directory

You must provide the domain name and the credentials of a domain user to query the AD. Attivo Cloud
queries the corresponding domain controllers to gather data regarding the AD topology and exposure
assessment. This configuration is used for ADSecure-EP as well.
The ADAssessor module uses LDAP, SMB, and WinRM to query the AD. For this Attivo Cloud needs only
a standard user account with read-only privileges to the AD. Also, this account must have privileges to
access WinRM on the domain controllers. For information on how to enable WinRM privileges for a user,
see WinRM access to Domain Controller. There are additional requirements for Threat Detection. See
Requirements and considerations.

44 Attivo Cloud User Guide

 ADAssessor
Configuring ADAssessor 4

To assess the entire forest, recommend that you provide a root-domain name and a user account that
belongs to that root domain.
With respect to ADAssessor, providing the details of any one of the root domains of a forest is enough
to query the rest of the domains in the same forest. To query and assess a domain in a different forest,
you must create an AD record for that domain at Configuration | Active Directory | AD
Configuration.

Note: Regardless of whether a domain belongs to the same forest or a different one, the endpoint hosting
Attivo CloudLink must be able to resolve the domain names for ADAssessor to assess them. The same applies
to ADSecure-EP as well.

Before you begin:

• The order in which you configure does not matter. However, it is recommended that you successfully
install Attivo CloudLink before you configure the AD details. Make sure the following status messages
are displayed in the Startup Wizard.

• You have the FQDN of a root domain that you want to assess. The endpoint hosting Attivo CloudLink
must be able to resolve this FQDN.

• You have the user name and password of a user belonging to the root domain. This user just needs
read-only access on the AD but also should be able to use the WinRM service on the domain
controllers.
• You have reviewed the Requirements and considerations and its subsections.
Steps:
1 Open the Add Active Directory Server dialog.

If you are in the Startup Wizard, go to the third task, which is Active Directory.

Attivo Cloud User Guide 45

4 ADAssessor
Configuring ADAssessor

Alternatively, go to Configuration | Active Directory | AD Configuration and click Add.

2 Add the details of an AD server.

Table 4-1 AD server details

Field Description
DC FQDN/IP Enter the FQDN or the IP address of one of the domain controllers. This can even be a read-
only domain controller.
Example: adserver.acme-corp.com

Note:
If you select the SSL option, then you need to provide the Fully Qualified Domain Name
(FQDN) in this field. AD authentication fails if the host name in the FQDN doesn’t match
the Subject Name or the Subject Alternate Name in the SSL certificate. IP address will
work provided it is available in the Subject Alternate Name.

FQDN is required even if you do not select SSL option, but LDAP signing and channel
binding is enabled on the AD server.

Even if you provide the IP address, the endpoint that hosts Attivo CloudLink must be able
to resolve the corresponding domain. This is because the ADAssessor module uses the
domain name in some of the queries. For example, ADAssessor uses the FQDN of the
domain controllers in its queries.

Username Enter the user name the Attivo Cloud can use to query the domain. This user name needs
just read-access to query the root domain but should have privileges to use the WinRM
service on the domain controllers. For information on how to enable WinRM privileges for
a user, see WinRM access to Domain Controller.
You can enter the user name in these 3 formats: UPN, NetBIOS, or just the user name.
UPN format: For example, if the configured domain is acme.com, you can enter
jdoe@acme.com as a user name.

Note: In the UPN, you can also enter an alternative UPN suffix (domain alias).

NetBIOS format: If the configured domain is sales.acme.com, and the corresponding

NetBIOS for the domain is SALES, you can enter SALES\jdoe. (SALES.ACME.COM\jdoe
is not valid).
Only the user name: For example, if the configured domain is sales.acme.com, you can
enter jdoe. In this case, the Attivo Cloud considers the user name as
jdoe@sales.acme.com.

Tip: Recommend that you configure an unmanaged service account because a normal
user account can be impacted by security policies like password expiry.

46 Attivo Cloud User Guide

 ADAssessor
Configuring ADAssessor 4

Table 4-1 AD server details

Field Description
Password Enter the corresponding password.
Domain name Enter the FQDN of the domain or the sub domain.
Example: acme-corp.com
Encryption method Select SSL to encrypt the traffic between Attivo Cloud and Windows Active Directory.

Note: This option is for encrypting the traffic to and from the Active Directory and is
different from the encryption done by Attivo CloudLink.

CA-signed Select if the certificate is signed by a CA. In case of self-signed certificate, Attivo Cloud
automatically adds the certificate to the trusted list.
LDAP Port Enter the port number Attivo Cloud should use to communicate with the Windows Active
Directory.
Make sure the correct port number is entered. If SSL is enabled, the default port is 636,
else the default port is 389.
Referral Select to enable referral chasing to query the sub-domains.
ADAssessor Attivo Cloud queries and assesses the corresponding domain only if you select this option.
ADAssessor: Select to enable the Threat Detection functionality of ADAssessor.
Enable Threat When you enable Threat Detection for a domain, Attivo Cloud collects the user objects with
Detection the required attribute values for its analysis. This process can take several minutes. The
time taken depends on the number of user objects and the number of domains (if Include
All Domains is selected). The Sync Status column in the Active Directory Configuration
page displays the status - failed, pending, or completed.

Important: The sync is an one-time process. Pending indicates the sync is in progress.
During this time, just the Threat Detection for the corresponding domains is suspended.
There is no other impact on ADAssessor functionality. However, refrain from making any
changes to the AD Server record in the Attivo Cloud UI when Sync Status is in pending
state.

If the Sync Status is in failed state, retry by disabling and then enabling it back again. If
it still fails, check the connection between Attivo Cloud, Attivo CloudLink, and the DC. Also,
make sure you have complied with Additional requirements and considerations for Threat
Detection.
If you disable Threat Detection, the synced user objects in Attivo Cloud is deleted. Then
the Sync Status shows NA. If you enable again, the sync happens again, which can take
several minutes as discussed previously.
Post the sync, when user objects are added or deleted in the AD, similar changes are made
to the copy of the user objects in Attivo Cloud.
For the details of the user objects and the attributes stored in Attivo Cloud, refer to Attivo's
Cloud Security, Data, and Availability Considerations document.
ADAssessor: Attivo Cloud discovers subdomains and displays them in the UI as part of the AD topology.
Include All domains However, the ADAssessor module queries and assesses the subdomains only if you select
this option. Else, it assesses only the domains you configure.
If you select Include All Domains, then select Referral too because ADAssessor
Dashboard requires Referral option to be selected to display certain data in the
ADAssessor Dashboard.

Attivo Cloud User Guide 47

4 ADAssessor
Configuring ADAssessor

Table 4-1 AD server details

Field Description
Access Over Trust Select if you want to configure a trusting domain in a different forest. This option is
relevant if you want to assess or protect a trusting domain using the credentials of a user
in the trusted domain.
Consider that summer.com is a domain in Forest B, which trusts spring.com in Forest A. If
you want to configure ADAssessor or ADSecure-EP for summer.com using a credential like
user@spring.com, then select this option.
• Trusting Domain Name: Enter the domain name like summer.com.
• Trusting Domain DC FQDN: Enter the FQDN of a DC of the trusting domain. Do not enter
an IP address. For example: adserver.summer.com

Note: You must create records for each trusting domain. For example, to configure 5
trusting domains, you must create one for each. You must also create one for the trusted
domain, in which you must keep the Access Over Trust disabled.

Save & Test Attivo Cloud tests if it is able to access a domain controller before saving the details..
Connection

3 Click Next in the Startup Wizard and wait for Attivo Cloud to learn the AD and gather data for analysis.

• If you are configuring just ADAssessor without the EDN features, you can exit the Startup Wizard
and view the results of the analysis in the ADAssessor Dashboard.

• If you configured the AD details without using the Startup Wizard, go to Analysis | ADAssessor
and click Trigger Analysis to trigger the learning and analysis.

Configuring Azure Active Directory

To configure the Azure Active Directory (AD) in Attivo Cloud, you must create and register an
application with the required permissions in Azure AD under the corresponding Azure account (tenant).
Then in Attivo Cloud, you must add the application (registered in Azure AD) ID along with other details
of the Azure account.
Based on the Azure account details configured in Attivo Cloud, the Azure AD will be assessed by the
ADAssessor feature.
Note:
• Deploying of Attivo CloudLink is not required for configuring Azure AD.

• Adding of exclusions for ADAssessor feature is not supported for Azure AD.

• Threat detection is not supported for Azure AD.

Registering the app in Azure AD

To facilitate Azure AD assessment for the ADAssessor feature, create and register an app with the
required permissions in Azure AD under the corresponding Azure account.
Steps:
1 Log on to your Microsoft Azure account.

2 Click the Azure portal menu icon present in the top-left corner of the Azure portal and select Azure
Active Directory.

You will be directed to the Azure AD Overview page. You can find the basic information such as
AD name, Tenant ID, Primary domain, license, etc.,

3 On the left pane click App registrations.

4 Click New registration or Register an application.

5 Enter a name for the application and select the required option under Supported account types.

6 Click Register.

The application is created, and the details of the application are displayed.

48 Attivo Cloud User Guide

 ADAssessor
Configuring ADAssessor 4

Note: You must copy the Application (client) ID and Directory (tenant) ID and save it in a safe location.
These details are required to be entered while configuring the Azure account details in Attivo Cloud.

7 Click Add a certificate or secret under Client credentials. Alternatively, you can click
Certificates & secrets on the left pane.

The Certificates & secrets page is displayed.

8 Click New client secret.

9 Enter a description for the client secret and select the required expiry duration for the client secret.

10 Click Add.

11 The newly added client secret gets listed in the Certificates & secrets page.

Note: You must copy the secret value and save it in a safe location. This information is required to be
entered while configuring the Azure account details in Attivo Cloud.

12 Click API permissions on the left pane.

13 Click Add a permission.

Request API permissions page is displayed.

14 Click Microsoft Graph.

15 Click Application permissions.

A list of all the permissions is displayed.

16 Select the below-mentioned permissions under the corresponding categories.

• AuditLog.Read.All

• Directory.Read.All

• Policy.Read.All

• Reports.Read.All

• User.Read

• Policy.ReadWrite.DeviceConfiguration

17 Click Add permissions.

18 All the above permissions are applied to the new application you created.

Once the Azure admin grants the permissions, you can configure the Azure account details in
Attivo Cloud.

Configuring Azure Active Directory details

Once you create and register an application in Azure AD with the required permissions, you can
configure the Azure account details in Attivo Cloud.
Before you begin:
• You have the Directory (tenant ID) of the Azure account.

• You have the Application ID (client ID) of the application that is registered in Azure AD.

• You have copied the Client secret value from the registered application.
Steps:
1 Login into Attivo Cloud.

You can configure Azure AD from the below navigation paths in Attivo Cloud:

Attivo Cloud User Guide 49

4 ADAssessor
Configuring ADAssessor

• Configuration | Startup Wizard (third task: Active Directory)

• Configuration | Active Directory | Azure AD Configuration

2 Enter the details in the corresponding fields.

Field Description
Name Name of the Azure account.
Directory (tenant) ID) Tenant ID of your Azure account.
Application (client) ID Client ID of the application registered for Attivo Cloud in Azure.
Client Secret Value The Client secret value you copied from the registered application.

3 If you are configuring Azure AD from Startup Wizard, click Next in the Startup Wizard and wait for
Attivo Cloud to learn the Azure AD and gather data for analysis.

• If you are configuring just ADAssessor without EDN features, you can exit the Startup Wizard and
view results (Azure Exposures) of the analysis in the Analysis | ADAssessor | Azure Exposures
tab).

4 If you are configuring Azure AD from Configuration | Active Directory | Azure AD Configuration
page and you want to trigger the Azure AD learning and analysis, you can navigate to Analysis |
ADAssessor | Azure Exposures | Actions, and click Trigger All.

5 After adding Azure AD details from Configuration | Active Directory | Azure AD Configuration
page, you can enable data synchronization for ADAssessor and IDEntitleX features. You can also
configure/deploy the Azure decoys from this location.

• To enable data synchronization for ADAssessor and IDEntitleX features, click the enable/disable
switch present in each of the features.

• When you click save after entering the Azure account details, the first synchronization is triggered
automatically for ADAssessor and IDEntitleX features. To synchronize the data later, you can click
the sync icon present for the ADAssessor and IDEntitleX features.

Note: The sync action synchronizes the identities, resources, and entitlements from the corresponding
account. The synchronizing time depends on the number of objects being retrieved. For a small
account, it may take a few minutes, and for a large account, it may take several hours.

6 If required, you can enable track changes for the IDEntitleX feature by clicking Configure Now.
When you click Configure Now, the IDEntitleX Configuration dialog is displayed. You can enable/
disable the track changes and click Save.

7 If required, you can configure Azure decoys newly or deploy the already configured Azure decoys
under Decoys box.

• To configure Azure decoys, click Configure Now. You will be prompted to enter the Azure
Subscription ID. Enter the Azure Subscription ID and click Save.

• To deploy the Azure decoys, click Deploy present inside Decoys box. You will be directed to the
Azure Decoy Deployment page. Click Review/Deploy to deploy the Azure decoys.

8 Click Add Another and repeat the above steps to add more Azure accounts, if required.

• Click Update if you have modified the details of the Azure account.

• To remove the Azure account, click Remove.

50 Attivo Cloud User Guide

 ADAssessor
Understanding the ADAssessor Dashboard 4

Understanding the ADAssessor Dashboard

After Attivo Cloud completes its learning and assessment of your AD, you can view the results in the
ADAssessor Dashboard. In Attivo Cloud, go to Analysis | ADAssessor.
•
• Understanding the Azure Exposures tab.

The ADAssessor Dashboard and Exposures tab display the detected exposures but not the threats. For each
threat an event is raised, which you can view at Analysis | Events. See How to view the threat details?

Understanding the Dashboard tab

The Dashboard tab provides the topology of the entire AD infrastructure as well as the overview of the
exposures.

Note: All the data shown in the ADAssessor Dashboard except in the ADAssessor Tests widget are from the
last ADAssessor analysis. Therefore, if you add or modify an AD record, then Attivo Cloud does data collection
and analysis for that domain (and tree, if applicable). Because the Dashboard shows data only from the last
analysis, data for all other domains (and trees) will not be displayed until the next scheduled or manual
analysis.
Given the above behavior, recommend that you trigger analysis when you add or modify AD records.

Attivo Cloud User Guide 51

4 ADAssessor
Understanding the ADAssessor Dashboard

Item Description
1 Click on the Dashboard tab for the overview and the Exposures tab for the details of
exposures.
2 Select the domains for which you want to see the ADAssessor analysis results.
You can view the data for specific or all the domains of a tree at a time. You cannot view
the data spanning more than one tree at a time.
In the below example, selecting Acme-Labs.Local listed first, selects all the subdomains as
well. Selecting Acme-Labs.local listed second, considers only Acme-Labs.Local and not its
subdomains.

3 The scheduled ADAssessor data collection and analysis is on Saturdays at 4 am UTC. To

manually trigger data collection and subsequent analysis, at any point, click Trigger
Selected or Trigger All from the Actions menu.
Unlike in the case of scheduled analysis (Saturday 4 am UTC), Attivo Cloud does not
generate any automatic report (though the results of the analysis are available in the
Exposures tab). If required, you can manually generate a report from the Exposures tab.

Tip: While it is ensured that the data collection (queries) do not cause performance
impact on the domain controller, it is recommended to schedule/trigger the assessments
outside of working hours.

52 Attivo Cloud User Guide

 ADAssessor
Understanding the ADAssessor Dashboard 4

Item Description
4 The Test Results widget shows the overall health score of the assessed domains. The
higher the score, healthier the domain. Note that this calculation is based on the number
of detections not found on assessment. The severity of the detections are not factored in.
With the resultant health score, the risk for exploitation is determined as follows:
• 0-30% - very high risk (that is, the AD is at a very high risk for exploitation)
• 31-50% - high risk
• 51-70% - medium risk
• 71-95% - low risk
• 96% and above - very low risk
The bar graph and the table show the same information in the respective formats. Point to
a section in the graph for view the count.

In this example, Attivo Cloud assessed the selected domain for a total of 44 exposures.
Out of that 17 are present currently (vulnerable), 26 are not present (not vulnerable), 1
exposure was skipped because the corresponding AD queries failed or the data was
insufficient to complete the analysis. So the health score will be 62% (the error count is
not factored while calculating the health score). See Skipped exposures-reasons and
troubleshooting steps.
If you select more than one domain, then the bar graph and the table show the cumulative
values. The health score is also calculated based on the cumulative values. The screenshot
below shows the health score for 2 domains. Note that the total 88 indicates the 44 unique
detections (exposures) assessed for each domain.

Note: Click on a value to view the details in the Exposures tab. If you are on a trial
license, then for the selected domain, you are authorized to view only the top 3
exposures, one from very high, high, and medium severities.

Improve See Improve protection for Active Directory.

Protection

Attivo Cloud User Guide 53

4 ADAssessor
Understanding the ADAssessor Dashboard

Item Description
5 The Domain View widget provides a graphical representation of the entire AD landscape.
You can view the child domains and trusted domains in a topology or trust view.
The topology view shows the other domains within the same tree.

Note: By default, only 3 objects are displayed. You must click on an object to zoom in
and view all the discovered domains in the tree. When you zoom in further, you can see
the number of detected exposures in each domain. If you click on a domain again, you
can view the corresponding exposures in the Exposures tab.

The trust view displays the root domain and all its trust relationships. In the following
screenshot, attivo1.local is the trusting domain and automation122.deception-gB.local is
trusted by attivo1.local. Rest all are 2-way trusts.

The legend for Domain View is below.

6 The Domains Assessed counter corresponds to the number of domains you selected from
the list.
In all the counters, Unprotected indicates the count of objects that you have not
configured to protect through ADSecure-EP. Trust indicates the number of trusts between
the root domain and other domains within and outside the forest.
The trusts are shown as Risks because if a domain is compromised, then attackers get to
know about other domains, which they can compromise. Note that even if the trust is one-
way, where the selected domain is the trusting domain, it is counted as a risk.
This counter also shows the count for two of the most severe exposures related to domain
controllers. Click to view the description and mitigation steps.
7 The Users counter shows the total user accounts in the selected forest or domain. The
service account in this widget indicates the unmanaged service accounts. Disabled user
objects are not considered.

54 Attivo Cloud User Guide

 ADAssessor
Understanding the ADAssessor Dashboard 4

Item Description
8 The Computers widget shows the total count of computer objects.
The Attivo Cloud detects systems running obsolete Windows operating systems by
querying for the operating system attribute of computer objects. (It is not based on
endpoint data). All computer objects are considered regardless of whether they are
disabled or not.
• For servers, computers on an operating system earlier than Windows Server 2012
are considered obsolete. (Windows Server 2012 is not considered as obsolete).
• For clients, computers on Windows 7 and earlier are considered as obsolete.
LAPS protected indicates the count of computers for which the local administrator
password is protected through Microsoft Local Administrator Password Solution.
Dangerous delegations show the number of computer objects that have their
UserAccountControl attribute set to TRUSTED_FOR_DELEGATION. This is the most
powerful security impersonation level by which a server can use a client's credentials to
authenticate with another server on the client's behalf.
9 The Most Vulnerable Assessments widget shows the count of the most prevalent exposures
in the selected domains. This widget can enable you to prioritize your remediation tasks.
Click to view the details of the exposures and the mitigation steps.
10 All the data that you see in the ADAssessor Dashboard is from the latest analysis. If you
need to see the count of the detected exposures in the previous analysis, then you can use
the ADAssessor Tests widget. This widget shows up to the last 7 analysis. Point to a specific
cell to see the count of exposures detected in that analysis. You can compare the count of
exposures detected during different analysis to see how the AD health has progressed over
time.
11 If you configure ADSecure-EP, this widget displays the ADSecure-EP reports related to the
selected domains.

Improve protection for Active Directory

After an ADAssessor analysis, you might want to address the vulnerabilities identified by ADAssessor
and harden the security posture of your Active Directory. You can do that in two ways: Secure with
ADAssessor and Secure with ADSecure-EP.
• Secure with ADAssessor: You can address the root cause by following the mitigation steps
provided in ADAssessor. Because this removes the vulnerability, the health score increases at the next
assessment or analysis.

Click Improve Protection | Secure with ADAssessor. The Exposures tab of ADAssessor
displays. Use the filters to search and locate the vulnerabilities. Then click Details of a
vulnerability for the mitigation steps. For detailed information on how to view information in the
Exposures tab, see Understanding the AD Exposures tab.

Attivo Cloud User Guide 55

4 ADAssessor
Understanding the ADAssessor Dashboard

After you mitigate, click on the horizontal ellipsis and click Re-run Assessment to verify if it is
mitigated. If you remove this vulnerability for the entire domain, then the health score improves
on next ADAssessor analysis.

• Secure with ADSecure-EP: You can use ADSecure-EP to improve the security posture of your AD.
This option is similar to how you configure ADSecure-EP to hide real AD objects.

In this case, you can configure ADSecure-EP to hide the objects related to the vulnerabilities
reported by ADAssessor. Consider the Privileged users with SPN defined vulnerability. Ideally you
must remove the SPNs for such users to mitigate the risk of Kerberos-based attacks. If you cannot
remove the SPNs for some functional reason, you can configure ADSecure-EP to hide the
corresponding privileged users. Then, when potential attackers query the AD, these users are
hidden in the response, and can remain unknown to attackers. Hiding the objects has no impact on
the ADAssessor health score because the vulnerabilities still exist.

See Improve protection through ADSecure-EP.

Improve protection through ADSecure-EP

The Improve Protection wizard enables you to hide AD objects related to the vulnerabilities reported by
ADAssessor. To access this feature click Improve Protection | Secure with ADSecure-EP in the
ADAssessor Dashboard tab. The Improve Protection - Objects page displays.
• If you do not have valid license for ADSecure-EP, you are directed to the Subscription page, where
you can click Buy more licenses for EDN.

• This section assumes you are familiar with the ADSecure-EP feature and how it works. For
information, see How ADSecure-EP protects your Active Directory?

Configuring ADSecure-EP through the Improve Protection wizard consists of two steps:
1 Select the AD objects you want to hide using ADSecure-EP.

2 Include this ADSecure-EP configuration in the required protection policies. See Select the protection
policies to implement ADSecure-EP.

Note: Make sure you have created the required protection policies. If not, first go to Configuration |
Endpoint Policies | Protection Policies | Add. Then, edit the name and click Save.

Select the AD objects to hide in ADSecure-EP

Recall that the Improve Protection - Objects page displays only those AD objects that are involved
in a discovered vulnerability. You can then select the required objects to hide.
The Improve Protection - Objects page displays only the following types of AD objects:
• Privileged users - to know what constitute as privileged users see Critical AD accounts queried from
the AD servers.

• Service accounts (any user account with SPN, that is unmanaged service accounts)

• Managed service accounts

• Domain controllers

• Non-privileged users (normal users with lesser privileges)

The following conditions must be met for AD objects to be listed in the Improve Protection - Objects
page:
• The objects are not excluded in ADAssessor Exclusions.

• AD objects are of the following types: privileged users, service accounts, managed service accounts,
domain controllers, or non-privileged users.

• In case of non-privileged users, only those users impacted by the exposures captured below are
listed:

56 Attivo Cloud User Guide

 ADAssessor
Understanding the ADAssessor Dashboard 4

• Dangerous access rights delegation on critical • AdminCount attribute set on standard users
objects • Default permissions changes on Domain Partition
• Unusual Accounts with Replication Permissions • Default permissions changes on Schema Partition
(DCSync)
• Domain controller owner permissions changes
• Weak default Administrator Account
• Domain controllers with passwords not changed
• Accounts with risky User Account Control parameters recently
• Default Administrator account hardening • gMSA Accounts with password not changed recently
• Privileged users without Fine-Grained Password • Privileged Accounts that are inactive
Policy
• Privileged accounts with unprivileged owners
• Kerberos Vulnerability assessment
• Privileged Users with Service Principal Names
• Non-canonical ACE on Objects Defined
• Unprivileged Users in AdminSDHolder ACL • Service Accounts that are inactive for more than 60
• Accounts with Hidden Privileged SID days
• Rogue domain controllers • Service Accounts that have shadow Admin privileges
• Unwanted privilege for Enterprise Key Admins • Shadow Admins in Privileged groups
• Accounts with Pre-Authentication disabled • Standard user accounts as DNS Admins
• Standard-Users with Gmsa password read • Weak SMB1 Session Allowed
permission • Detect Zerologon vulnerable Domain Controllers
• Kerberos Delegation on Privileged Accounts • LDAP Unsigned connections allowed
• Use legacy built-in groups in AD • Non-Standard permissions on agent certificate
• Disabled Accounts in Privileged Groups templates
• User Accounts with Sensitive Certificates

• AD objects are involved in a currently existing vulnerability. This page does not list the AD objects
not currently reported by ADAssessor.

• The AD data cache in Attivo Cloud is current. If you are not sure, click Refresh AD Data at
Configuration | Active Directory | AD Configuration. However, refreshing AD data can be a
time consuming process. Therefore, choose a time that has the least impact on other users in your
subscription, AD, and your network.

• After creating the object in AD, at least one ADAssessor analysis is complete.

You can group by and filters to easily list the required objects.
• View by Privileges: You can group by object type - privileged users, (unmanaged) service accounts,
managed service accounts, domain controllers, and users.

The following screenshot illustrates how the objects are displayed when you View by Privileges.

Attivo Cloud User Guide 57

4 ADAssessor
Understanding the ADAssessor Dashboard

• View by Exposures: You can group the objects by the corresponding exposure name. For each
exposure, the objects are grouped separately for each selected domain. An object impacted by
different exposures is listed under all those exposures.

Filtering options: The following filtering options are available regardless of how you group the
objects.
• Severity: Possible values for vulnerabilities are low, medium, high, and very high. The count of
vulnerabilities are given in parenthesis.

• Exposures: The detected vulnerabilities from the last ADAssessor analysis are listed.

• Domain: The domain you selected in the ADAssessor Dashboard tab is selected. To view all the
domains, de-select Select All and click Apply.

• Object type: Only the affected object types are listed. The object type User includes privileged users,
unmanaged service accounts, and non-privileged users.

After you select the required AD objects to hide, click Next.

Note: Even after you hide an affected object in ADSecure-EP, it is still displayed every time you invoke
the Improve Protection wizard until you remove the corresponding vulnerability in the AD.

Select the protection policies to implement ADSecure-EP

After you select the AD objects, select the required protection policies to implement your ADSecure-EP
configuration. Then click Save and Close.
Make sure you have created the required protection policies. If not, first go to Configuration | Endpoint
Policies | Protection Policies | Add. Then, edit the name and click Save.
Attivo Cloud modifies these protection policies to hide the selected objects:
• This point does not apply to non-privileged users. The objects you select in the Improve Protection
wizard are appended to the list of objects to be hidden as already configured in the selected protection
policies. That is, the existing Hide configuration in the protection policies is preserved with respect to
these objects.

• In case of non-privileged users, the objects already existing in the protection policies are overwritten
with what you selected currently in the Improve Protection wizard.

• If you select more than 2000 objects per type, then only a random 2000 objects per type are saved
in each selected protection policy. That is, you can hide 2000 privileged users, 2000 non-privileged
users, and so on.

• For example, if you select 2500 non-privileged user objects from domain A and 2000 from domain
B, then only a total of 2000 non-privileged user objects are saved in each selected protection
policy. These 2000 objects can belong to either one or both of the domains.

• In case of service accounts, the 2000 limit includes both unmanaged and managed service
accounts.

• If you have thousands of objects in multiple domains, you can run the Improve Protection wizard
separately for each domain separately.

• Click the View Report in the ADSecure-EP tab of an Endpoint Policy to view the objects configured
to hide. In this report, the Type for non-privileged users is Critical Users. You can access the
same report by clicking Configure Now | View Configuration Report in the ADSecure-EP tab
of a protection policy.

• ADSecure-EP hides the selected objects regardless of the group these objects belong to. For
example, jdoe belongs to enterprise admins and domain admins. Then, ADSecure-EP hides jdoe in
the AD response when the attacker enumerates either of these groups. To indicate this, all the
objects hidden through the Improve Protection wizard have the green check against them in the
View Report of a protection policy.

58 Attivo Cloud User Guide

 ADAssessor
Understanding the ADAssessor Dashboard 4

For detailed explanation of the ADSecure-EP options in the protection policies, see Create a protection
policy.
If you have not installed Attivo Endpoint Application from the selected protection policies, you must
generate Attivo Endpoint Application and install them on endpoints. If they are already installed from a
selected protection policy, the Attivo Endpoint Application instances in service mode are automatically
updated at the next update interval.

Understanding the AD Exposures tab

The Exposures tab details the exposures. From the Exposures tab, you can get the list of all the
exposures that were assessed for, the ones currently present in the domain, as well as the description
and remediation steps for each exposure. You can also generate reports from the data that is displayed
in the Exposures tab. These reports are referred to as ADAssessor reports.
The Exposure tab displays the details in a card view. The card visualization provides options to group,
filter, and sort the information, which can enable you to find quick answers. For example, you can
group all the exposures by domain name to figure the domain that requires your immediate attention.

Note: The data displayed in the Exposures tab is as per the value selected for Previous Results. By default,
data from the latest analysis is displayed. You can select from the last 7 scheduled and 7 manual analysis.

Scheduled analysis is on Saturdays 4 am UTC. When you add or modify an AD record (with the ADAssessor
option selected), then Attivo Cloud collects data only for that AD and does an analysis for ADAssessor. Even
such analysis are considered as scheduled analysis. In the Previous Results list, scheduled analysis is
indicated by a clock icon with a counterclockwise circular arrow.

ADAssessor analysis you trigger by clicking the Trigger Selected or Trigger All from the Actions menu are
manual analysis. In the Previous Results list, manual analysis is indicated by a pencil icon.

For scheduled analysis the ADAssessor report is automatically generated. To access ADAssessor reports, click
Download Reports.

If you are on a trial license, then for the selected domain, you are authorized to view only the top 3 exposures, one
from very high, high, and medium severities. Also, all the filtering options in the AD Exposures tab are disabled.

Item Description
1 This list has options for bulk operations. That is, the action you choose from this list applies
to all the records displayed currently.
2 Download the required ADAssessor report (PDF file). For information on ADAssessor
reports, see ADAssessor reports.
3 Click to refresh the page. This does not change the filters or the display options you have
set.

Attivo Cloud User Guide 59

4 ADAssessor
Understanding the ADAssessor Dashboard

Item Description
4 You can use the filtering options to define the data to be displayed.
Displays the currently applied filters. The ones in the screenshot are the default filters.

Note: Selecting multiple values in the same filtering option implies an OR condition.
Across different filter options, it is an AND condition.

5 Click Clear All to revert to the default filters.

6 Filter by the severity of the exposures.
7 The Group By option enables you to pivot data. This enables you to visualize the
exposures from different aspects. The value you select for Group By alters the column
headings accordingly when you expand an item in the card view.
8 Filter by the protocol used for the queries. For example, to query for data related to GPO,
Attivo Cloud uses SMB. For some exposures, Attivo Cloud uses both LDAP and SMB.
9 Filter by status. Vulnerable applies to exposures that are present at the time of the
analysis. Not vulnerable means that the corresponding exposure was assessed for but not
found.
10 You can view data from the last 7 scheduled and manual analysis (that is up to the last 14
analysis). You can use this to verify if a particular exposure is remediated and for
investigations based on historical data. Also see the note on scheduled and manual
analysis at the beginning of this section.
11 Additional filtering options are available in this list. Detection host name refers to the host
name of the domain controllers. The exposures for each DC is provided in parenthesis.
12 Use this to sort the detections based on domain name, run time (time of analysis), or
severity. Use the adjacent arrow to toggle between ascending and descending order. For
example, if you sort based on severity, the very-high detections are listed on top. You can
use the arrow button to list the low severity detections on top.
13 Click + to drill into each card and view the details of an exposure in a tabular format.
Hold the Ctrl key to select multiple details records.
14 Click to view additional details about the exposure. This includes information like summary
description, mitigation steps, link to reference material, and attacks tools that attackers
use to exploit this vulnerability.
All these additional details are available in the ADAssessor report.
15 Click to download the affected domain objects in a CSV file.
This CSV file is the same as the one that is provided as part of the ADAssessor report. This
option is displayed only if an exposure is present in the domain.
16 Click to view the affected domain object details in the browser. This option is displayed only
if an exposure is present in the domain.
Click the horizontal ellipsis for options:
• Acknowledge: Acknowledge the exposure. See item #19 in this table.
• Export: Export the affected object details to a CSV file.
• Re-run Assessment: See item #19 in this table.
• Exclude Exposure: Create an exclusion record for the exposure. See Create an
exclusion record for ADAssessor.
• Exclude Selected Objects: Create exclusions for specific objects. Select the required
objects and click this option. Use Ctrl key to select multiple objects.
• The supported object types are Computer, Group, and User.
• You must select at least one of these supported object types.
• If you select both supported and unsupported object types, only the supported ones
are included in the Exclusion record.
17 Acknowledge or unacknowledged individual exposure.
When you acknowledge a record, it is hidden if the Acknowledge filter is set to No. To
view this record again, select Yes in the Acknowledge filter.

60 Attivo Cloud User Guide

 ADAssessor
Understanding the ADAssessor Dashboard 4

Item Description
18 Enter comments for an exposure.
19 The horizontal ellipsis is active only when you click + of a card and select one or more
details record.
Hold the Ctrl key to select multiple details records.

Click the horizontal ellipsis to:

• Re-run Assessment: Select to assess if this exposure is currently present in the
corresponding domain.
ADAssessor checks only the selected exposure and only in the domains mentioned in
the details. The status of the reassessment is flashed in the UI. When reassessment
completes, refresh the page to see if the exposure still exist. Check the Run Time
column to confirm you are seeing the results from the reassessment.
• Export: Click to download the affected domain objects in a CSV file. This option is
applicable only if the exposure is present in the domain.
• Acknowledge or un-acknowledge the selected details records.
When you acknowledge a record, it is hidden if the Acknowledge filter is set to No. To
view this record again, select Yes in the Acknowledge filter.

ADAssessor reports
The ADAssessor report is a PDF file, which contains an executive summary section as well as a details
section. The executive summary section contains the same information as in the Dashboard for that
particular domain. The details section in the ADAssessor report contains all the information available for
an exposure when you click Details in the Exposures tab. Along with the report, a CSV file is provided
for each detected exposure. This CSV file contains the details of the impacted objects. You can use the
CSV files to remediate the exposures. For example, you can parse these files from a PowerShell script
to remove or modify the affected AD objects.
Attivo Cloud generates the ADAssessor report (PDF file) and the CSV files (affected objects) separately
for each domain. Consider that sales.acme.com and fin.acme.com are 2 domains, which Attivo Cloud
assessed. Attivo Cloud generates separate ADAssessor report and the CSV files for these 2 domains.
ADAssessor reports are created:
• After each scheduled analysis, that is at 4 am UTC on Saturdays, and when you add or modify an AD
record with ADAssessor option selected. These are scheduled ADAssessor reports.

• When you click Actions | Generate Report from the Exposures tab. These are manual ADAssessor
reports. The manual ADAssessor report contains the details of the just those exposures that are
displayed in the Exposures tab at the time of report generation. Therefore, to create a report out of
specific ADAssessor data, you can use the various options in the Exposures tab to first filter out the
required data. Then, you can generate the report. For example, you can generate a report for a
specific exposure like Weak default Administrator Account. Then, the report contains the details of
just this exposure.

Note: Recall that the Executive Summary in the reports corresponds to the current data in the
Dashboard. The current data in the Dashboard is always only the latest analysis. That is, data from earlier
analysis are not displayed in the Dashboard.
If you generate a report out of an earlier analysis, then there is a possibility of data mismatch between the
Executive Summary and the Details sections. Consider that you remediated a vulnerability detected in an

Attivo Cloud User Guide 61

4 ADAssessor
Understanding the ADAssessor Dashboard

earlier analysis. In the latest analysis, that vulnerability is not detected since you have remediated it
already. The same reflects in the Dashboard. Now, if you generate a report out of the earlier analysis data,
then the Details sections shows this vulnerability (because the data you used to generate the report
contains it). However, the Executive Summary data does not contain this vulnerability since the Executive
Summary data is based on the Dashboard data, which in turn is the data from the latest analysis.

Note: All the data shown in the ADAssessor Dashboard except in the ADAssessor Tests widget are from
the last ADAssessor analysis. Therefore, if you add or modify an AD record, then Attivo Cloud does data
collection and analysis for that domain (and tree, if applicable). Because the Dashboard shows data only
from the last analysis, data for all other domains (and trees) will not be displayed until the next scheduled
or manual analysis.
At this point, if you generate a manual report for a domain for which there is no data in the Dashboard,
report generation fails. This is because the Executive Summary in the reports corresponds to the current
data in the Dashboard. Because there is no data displayed in the Dashboard for that domain, there will be
no data to generate the Executive Summary section of the report, and the report generation itself fails.

To download the reports, click Download Reports in the Exposures tab. Links to all the scheduled
and manual reports from the last 30 days are listed. The same set of links are available to all users.
That is, manual reports generated by other users in your subscription are also available.
When you click a link, a ZIP file downloads, which contains the ADAssessor report and the CSV files.
The file name indicates whether it is a manual or a scheduled report. The file name also contains the
time of report generation (in UTC). The Timestamp column displays the age of the report, and this is
based on the time zone configured in your client endpoint.

How to generate a list of all the current exposures assessed by ADAssessor?

With time, ADAssessor might be assessing domains for more exposures. At any point in time, you can
generate a report containing the details of the current list of exposures that ADAssessor is assessing
for.
To do so:
1 Go to Analysis | ADAssessor and remove all filters by clicking Clear All.

2 Go to Actions | Generate Report.

Allow a couple of minutes and download the report from Download Reports. You can use the time
stamp in the Downloads dialog to identify the required report.

62 Attivo Cloud User Guide

 ADAssessor
Understanding the ADAssessor Dashboard 4

Understanding the Azure Exposures tab

The Azure Exposures tab details the Azure AD exposures. From the Azure Exposures tab, you can get
the list of all the Azure AD exposures that were assessed for, the ones currently present in Azure AD, as
well as the description and remediation steps for each Azure AD exposure. You can also generate
reports from the data that is displayed in the Azure Exposures tab. These reports are referred to as
Azure Exposure reports.
The Azure Exposure tab displays the details in a card view. The card visualization provides options to
group, filter, and sort the information, which can enable you to find quick answers. For example, you
can group all the Azure exposures by domain name to figure out the domain (in Azure AD) that requires
your immediate attention.

Note: The data displayed in the Azure Exposures tab is as per the value selected for Previous Results. By
default, data from the latest analysis is displayed. You can select from the last 7 scheduled and 7 manual
analysis.

Scheduled analysis is on Saturdays 4 am UTC. When you add or modify an Azure AD record (with the
ADAssessor option selected), then Attivo Cloud collects data only for that Azure AD and does analysis
for ADAssessor. Even such analysis is considered as scheduled analysis. In the Previous Results list,
scheduled analysis is indicated by a clock icon with a counterclockwise circular arrow.
ADAssessor analysis you trigger by clicking Trigger All from the Actions menu are manual analysis.
In the Previous Results list, manual analysis is indicated by a pencil icon.
For scheduled analysis, the ADAssessor report is automatically generated. To access ADAssessor
reports, click Actions | Download Reports.

Item Description
1 This list has options for bulk operations. That is, the action you choose from this
list applies to all the records displayed currently.
2 You can use the filtering options to define the data to be displayed.
This field displays the currently applied filters. The ones in the screenshot are
the default filters.

Note: Selecting multiple values in the same filtering option implies an OR

condition. Across different filter options, it is an AND condition.

3 Click Clear All to revert to the default filters.

4 Filter by the severity of the Azure AD exposures.
5 The Group By option enables you to pivot data. This enables you to visualize
the exposures from different aspects. The value you select for Group By alters
the column headings accordingly when you expand an item in the card view.
6 Filter by the protocol used for the queries.

Attivo Cloud User Guide 63

4 ADAssessor
Understanding the ADAssessor Dashboard

Item Description
7 Filter by status. Vulnerable applies to Azure AD exposures that are present at
the time of the analysis. Not vulnerable means that the corresponding Azure
exposure was assessed for but not found.
8 You can view data from the last 7 scheduled and manual analysis (that is up to
the last 14 analysis). You can use this to verify if a particular exposure is
remediated and for investigations based on historical data. Also see the note on
scheduled and manual analysis at the beginning of this section.
9 Additional filtering options are available in this list. Detection hostname refers
to the hostname of the Azure AD domain. The exposures for each domain is
provided in parenthesis.
10 Use this to sort the detections based on the domain name, the run time (time
of analysis), or severity. Use the adjacent arrow to toggle between ascending
and descending order. For example, if you sort based on severity, the very-high
detections are listed on top. You can use the arrow button to list the low
severity detections on top.
11 Click + to drill into each card and view the details of the exposure in a tabular
format.
Hold the Ctrl key to select multiple details records.
12 Click to view additional details about the Azure exposure. This includes
information like summary description, mitigation steps, link to reference
material, and attacks tools that attackers use to exploit this vulnerability.
13 Click to view the affected domain object details.
14 Click to download the affected Azure domain objects in a CSV file.
This CSV file is the same as the one that is provided as part of the ADAssessor
report. This option is displayed only if an Azure exposure is present in the
domain.

List of exposures
Below table provides the list of all the exposures that can be assessed by the ADAssessor feature in
Azure AD. It also provides the type of license that is required to remediate (mitigate) the vulnerabilities
present in Azure AD.

Exposure Required license

Standard users allowed to invite external users. Azure AD free license
Security defaults disabled for Administrators and Users. Azure AD free license
Standard users allowed to create security group. Azure AD free license
Standard users allowed to create Apps. Azure AD free license
Global administrator should have atleast 3 cloud only accounts. Azure AD free license
High Number of Privileged users in Azure AD Roles. Azure AD free license
Admin Consent is disabled for Applications. Azure AD free license
Users are allowed to consent to applications. Azure AD free license
Self Service Password Reset(SSPR) is Disabled. P2
Azure AD Device Join allowed without Multi Factor Authentication. P2
Privileged Users without Multi Factor Authentication (MFA). P2
New Classic Administrators added recently. Requires Subscription
New Delegated permissions added recently. Azure AD free license
High Number of Subscription owners in the Tenant. P2
External accounts with dangerous permissions on subscription. Requires Subscription
Guest users found in the Azure AD. P2

Note:
For the below mentioned exposures to work properly, the application used for the assessment must
have the ‘Reader’ permission for the subscription:

64 Attivo Cloud User Guide

 ADAssessor
Exclusions for ADAssessor 4

• New Classic Administrators added recently

• High Number of Subscription owners in the Tenant

• External accounts with dangerous permissions on the subscription

• Guest users found in the Azure AD

Exclusions for ADAssessor

ADAssessor reports misconfigurations, weak policy settings, and vulnerabilities as exposures. Some of
these exposures could be intentional or conventional in your enterprise network. You can suppress such
data in the UI to focus on the exposures that matter.
To suppress exposures reported by ADAssessor, you can create exclusions in Attivo Cloud. Attivo Cloud
applies these exclusions at the next analysis (scheduled or manual). When applied, the exposures
matching the exclusions are not displayed in the Dashboard and Exposures tabs.

Note: Exclusions are applicable only for Exposure Detection and not for Threat Detection.

Options to exclude exposures in ADAssessor

In an exclusion record, you must specify a forest, one or more domains, and one or more exposures to
which Attivo Cloud needs to apply the exclusion. All the discovered forests and domains are listed for
you to choose.
You have two options when you create exclusions for ADAssessor:
• You can apply the exclusion to one or more exposures.

• You can also make the exclusion granular by selecting specific AD objects to which it must be applied.

When you select exposures (and no AD objects), then the exposure itself is suppressed in both the
Dashboard and Exposures tabs. Even the Total count in the Test Results widget does not factor in the
suppressed exposures. Similarly, clearing all the filters in the Exposures tab too does not display the
excluded exposure. To view the exposure again, you must remove the exclusion and trigger an
analysis.

The total
exposure
Exposures tab filters set to display all
count in the
exposures
Dashboard tab

To create granular exclusions, you can select objects of the following types: computer, GPO, security
groups, and users. AD objects of these types that are associated with the detected exposures from the
last analysis are listed.
Consider that ADAssessor reports 5 servers running on obsolete Windows Server operating systems.
Your investigation revealed that these are legacy servers, which are required to run on those operating
systems. You want to suppress this exposure just for these 5 servers. Then, create an exclusion in
which you must select Computers running an obsolete OS as the exposure and then the corresponding
5 computer objects. Then from the next analysis, ADAssessor checks for this exposure but does not
report it just for these 5 computer objects.

Attivo Cloud User Guide 65

4 ADAssessor
Exclusions for ADAssessor

Note: If you exclude all the affected objects of an exposure in all the domains, then it is treated as if the
exposure itself is excluded. This affects the Test Results widget as explained above.

If you exclude all the affected objects of an exposure for a particular domain, then that card is not shown in
the Exposures tab when you view the exposures of just that domain.

To create exclusions, go to Configuration | Active Directory | ADAssessor Exclusions. The

Exclusions page list any existing exclusion records.

Field Description
Name The name that you provided for identification purposes.
Forest The forest name corresponding to the excluded exposures or AD objects. You can only
select one forest in a record.
Domains The domains corresponding to the excluded exposures or AD objects. Though you can
select multiple domains in the same record, recommend that you create separate records
for each domain for easier management.
Exposures One or more exposures you selected in the exclusion record.
Object Types If you select objects in the exclusion record, then the type and the count of each is
displayed. This value is empty if you exclude the exposure itself.
If you use a wildcard character (*) to denote the selected objects, then it is indicated by
an * next to the object type.
Objects The total count of all the selected objects in the exclusion. You can export the list to a CSV
file. You can also view all the objects in a dialog box.

Regex is yes if you use wildcard character (*) to specify the objects to be excluded.

Create an exclusion record for ADAssessor

When you add, edit, delete an exclusion, changes are applied only from the next assessment. You can
create a broad-based or a granular exception. The details are provided in this section. Also see Options
to exclude exposures in ADAssessor.
Before you begin:
To create exclusions for specific AD objects, ADAssessor must have reported exposures involving those
objects.
Steps:
1 Go to Configuration | Active Directory | ADAssessor Exclusions | Add.

2 Specify values for the following fields.

66 Attivo Cloud User Guide

 ADAssessor
Exclusions for ADAssessor 4

Field Description
Name Enter a unique name for the record for identification. Optionally, enter a description.
Forest Select the forest corresponding to the exposures or objects you want to exclude. You can
only select one forest in a record.
Domain Similarly select a domain. Though, you can select multiple domains in a record,
recommend that you create separate records if the exclusion spans multiple domains.
Exposures Select the exposures to exclude. All the exposures (regardless of whether present in your
network or not) are listed.

Tip: Enter a few letters of the exposure name in the Quick Find box to easily locate the
required exposure. You can similarly search in other fields as well.

Object Type Select the objects for the exclusion record. The objects are listed based on the exposures
selected in Exposures field. You can use Get Objects button to fetch the list objects.

3 If you are excluding the selected exposures itself, then click Save.

The rest of the information in this section is relevant only if you want to exclude AD objects for the
selected exposures.

4 To exclude objects by selection, do the following.

a From the Object Type list, select the ones relevant to the exposures you have selected.

b Click Get Objects.

Note: The objects reported in the latest assessment, for the selected exposures and for the selected
domain are listed in the Available Objects section. For example, if the selected exposure is Dormant
User Accounts and the object type is User, then all the affected user objects of Dormant User Accounts
exposure as per the latest assessment are listed.

c In the Available Objects section, select the objects to exclude and click Add.

The objects you add are displayed in the Selected Objects section.

d To add all the listed objects, select Add All.

e To exclude the current as well as the objects that may be reported in the future, select All Current
and Future Objects.

When you select this option, wildcard character (*) is used to exclude any object reported for
the selected exposures and domain combination.

Note: In the Selected Objects section, a regex-based record is created for each selected object type
and domain combination.

f After you add the required objects for all the required exposures, click Save.

5 To exclude objects using wildcard character, scroll down to the Selected Objects section and do the
following.

a In the Manual/Wildcard Entry field, first select the object type.

The supported object types are: computer, GPO, Group, and User.

b Enter a regular expression to denote the required object names and then click Add.

* is the only supported wildcard character. For example, to exclude all security groups related
to administrators, you can select Group as the object type and *admin* as the string. This
excludes the selected exposures in the selected domain, wherein the name of the reported
security groups contain the string admin.

Attivo Cloud User Guide 67

4 ADAssessor
Skipped exposures-reasons and troubleshooting steps

Note: Make sure the object type is relevant to the exposures you have selected. For example, you
cannot add computer objects, if the selected exposure is just Dormant User Accounts.

c After you have add the required regular expressions, click Save.

Skipped exposures-reasons and troubleshooting steps

Error Error Description Recommended troubleshooting steps

code message
100 LDAP This occurs when LDAP Connection or queries has 1 Test the connection between the CloudLink and
Exception failed during an assessment run. Domain Controller.
Possible cause of exceptions: 2 Ensure port 389/636 is allowed if there is a
firewall in between.
1 Network, Proxy or Firewall issue
3 Validate the Domain Namae, Domain Controller
2 Invalid Username / Password Name and Credentials are correct.
3 User account lockout 4 Check if the account used in AD configuration is
4 Password Expired not locked out
5 Invalid Domain Name configured 5 Check if the account used in AD configuration
6 Invalid Domain Controller configured password has not expired. Recommended to set
the account to password never expire.
7 Domain Controller is abandoning request
6 Check the health of the Domain Controller. Use
8 Domain Controller is not responding tools like LDP to validate Domain Controller is
9 Incorrect Certificate responding to LDAP Queries.
10 LDAPS not configured on DC
11 Certificate Expired
12 Certificate Revocation check failure
13 Names resolution failure.
101 LDAP Timeout This occurs when LDAP Connection or queries has 1 Test the connection between the CloudLink and
failed during an assessment run. Domain Controller.
Possible cause of exceptions: 2 Ensure port 389/636 is allowed if there is a
firewall in between.
1 CloudLink unable to contact Domain Controller
due to communication issues. 3 Check the health of the Domain Controller. Use
tools like LDP to validate Domain Controller is
2 Domain Controller is slow and not responding
responding to LDAP Queries.
within the TCP Timeout.
3 LDAP policy is configured with lower values.
200 SMB Exception This occurs when SMB Communication has failed 1 Test the connection between the CloudLink and
during an assessment run. Domain Controller.
Possible cause of exceptions: 2 Ensure port 445 is allowed if there is a firewall in
between.
1 CloudLink unable to contact Domain Controller
due to communication issues 3 Validate the Domain Name, Domain Controller
Name and Credentials are correct.
2 Invalid Username / Password
4 Check if the account used in AD configuration is
3 User account lockout
not locked out
4 Password Expired
5 Check if the account used in AD configuration
5 Invalid Domain Name password has not expired. It is recommended to
6 Invalid Domain Controller configured. use a non-priviledged service account or to set
the account to password never expire.
7 DNS Issues (Name Resolution Failing for DC)
6 Check the health of the Domain Controller.
7 Ensure SMB connections are working from using
the Hostname of the Domain Controller.

68 Attivo Cloud User Guide

 ADAssessor
Skipped exposures-reasons and troubleshooting steps 4

Error Error Description Recommended troubleshooting steps

code message
201 SMB Timeout This occurs when SMB Communication has failed 1 Test the connection between the CloudLink and
during an assessment run. Domain Controller.
Possible cause of exceptions: 2 Ensure port 445 is allowed if there is a firewall in
between.
1 CloudLink unable to contact Domain Controller
due to communication issues. 3 Check the health of the Domain Controller.
2 Domain Controller is slow and not responding 4 Ensure SMB connections are working from using
within the TCP Timeout. the Hostname of the Domain Controller.

300 WinRm This occurs when WinRM Communication has failed 1 Test the connection between the CloudLink and
Exception during an assessment run. Domain Controller.
Possible cause of exceptions: 2 Ensure port 5985/5986 is allowed if there is a
firewall in between.
1 CloudLink unable to contact Domain Controller
due to communication issues 3 Validate the Domain Name, Domain Controller
Name and Credentials are correct.
2 Invalid Username / Password
4 Check if the account used in AD configuration is
3 User account lockout
not locked out
4 Password Expired
5 Check if the account used in AD configuration
5 Invalid Domain Name password has not expired. Recommended to set
6 Invalid Domain Controller configured. the account to password never expire.
7 DNS Issues (Name Resolution Failing for DC) 6 Check the health of the Domain Controller.
8 WinRM disabled on Domain Controller 7 Ensure WinRM connections are working from
using the Hostname of the Domain Controller.
9 WinRM pre-requisites is not configured.
8 Follow the below link to Enable WinRM
https://docs.microsoft.com/en-us/powershell/
module/microsoft.powershell.core/enable-
psremoting?view=powershell-
7.2#:~:text=PowerShell%20remoting%20is%2
0enabled%20by,computer%20that%20will%20
receive%20commands.
9 Follow the instructions in the below link to
configure WinRM. (Point to our document for
WinRM pre-requisties.)
301 WinRm This occurs when WinRM Communication has failed 1 Test the connection between the CloudLink and
Timeout during an assessment run. Domain Controller.
Possible cause of exceptions: 2 Ensure port 5985/5986 is allowed if there is a
firewall in between.
1 CloudLink unable to contact Domain Controller
due to communication issues 3 Check the health of the Domain Controller.
2 Domain Controller is slow and not responding 4 Ensure WinRM connections are working from
within the TCP Timeout using the Hostname of the Domain Controller.

500 Credential This occurs when the Domain Configured in the AD Validate the Domain Name Configured.
specific DC Configuration and Credentials don’t match to find a Review the Username / Password configured.
could not be suitable Domain Controller for Kerberos
found Authentication. Try alternate methods to provide username in UPN
or Netbios name format.
501 Kerberos auth This occurs when there time a difference of more 1 Fix the time on the CloudLink endpoint.
failed due to than 5 minutes between the CloudLink and Domain 2 Configured the CloudLink machine to sync time
time zone Controller. from the Domain Controller.
difference
between DC
and EPU/EDN.
505 Runtime This occurs when there is a failure in executing Recommend to re-run the assessment again. If the
failure certain assessment tasks due to unknown condition. condition persists contact the support for assistance
with the support logs.
506 Timeout This occurs when predefined timeout is reached Recommend to re-run the assessment again. If the
when executing certain assessment tasks due to condition persists contact the support for assistance
unknown condition. with the support logs.
1000 Graph This occurs when executing assessments and Recommend to re-run the assessment again. If the
Exception exception is returned by the Azure AD Graph condition persists contact the support for assistance
provider due to unavailability of service, with the support logs.
communication issue or authorization failure.

Attivo Cloud User Guide 69

4 ADAssessor
Skipped exposures-reasons and troubleshooting steps

70 Attivo Cloud User Guide

5 ADSecure-DC

ADSecure-DC is a feature in Attivo Cloud, which detects Kerberos attacks and AD-enumerations in real-
time. Some examples of these attacks are Golden and Silver Ticket attacks, pass-the-hash attack, and
enumeration of critical AD users and groups.
The distinguishing factor in ADSecure-DC is detecting these advanced AD attacks at the Domain
Controllers and application servers. ADSecure-DC does not require Attivo Endpoint Application to be
present on the source endpoint. Therefore, it can detect these attacks from any endpoint in the network
- even from a non-Windows endpoint like Linux, Mac, or IOT systems.

How does ADSecure-DC work?

Similar to the other Attivo Cloud features, ADSecure-DC also requires an Attivo CloudLink in your
network. You only need one Attivo CloudLink regardless of the number of features you configure. For
information on Attivo CloudLink, see Deploy Attivo CloudLink. You must also make sure you have
configured the details of the Active Directory you want to protect.
After you configure ADSecure-DC in Attivo Cloud, you must generate Attivo Endpoint Application and
install it on all the Domain Controllers of the domains you want to monitor. To detect Kerberos-based
attacks on application servers, you must install Attivo Endpoint Application on the Kerberos-aware
application servers. An example of such an attack is the Silver Ticket attack.
When attackers attempt Kerberos-based attacks or domain enumeration from any endpoint on the
network, the Attivo Endpoint Application instances on the Domain Controllers and application servers
analyze the relevant communication and correlate data to detect attacks or malicious activities. If
found, Attivo Cloud immediately raises an event with the details for mitigation and remediation.

Attivo Cloud User Guide 71

5 ADSecure-DC
How does ADSecure-DC work?

What are the types of attacks ADSecure-DC can detect?

Note that ADSecure-DC currently detects attacks and malicious activities but does not prevent them. At
a broader level, ADSecure-DC detects two categories of attacks:
• Kerberos-based attacks

• AD enumerations
Kerberos-based attacks
Attivo Endpoint Application on a Domain Controller or an application server can detect forged and
anomalous tickets and requests. For example, anomalies can be Kerberos tickets with a very long
expiry time and tickets awarded to non-existent users.
In large organizations, attackers can request a ticket from one site and present it on another for
privilege escalation. In such cases, the ADSecure-DC module on Attivo Cloud may further analyze and
correlate data from different Domain Controllers to detect these attacks.
Attackers can present forged or fake tickets to application servers that rely on Kerberos authentication.
You must install Attivo Endpoint Application on the application servers to detect such attacks.
The following are some examples of application servers that may use Kerberos to authenticate service
requests:
• Microsoft Exchange

• SharePoint

• CRM Dynamics

• Azure AD Connect

72 Attivo Cloud User Guide

 ADSecure-DC
How does ADSecure-DC work? 5

• MS SQL

The following are some of the Kerberos-based attacks that ADSecure-DC detects:
• Golden and Silver Tickets

• Skeleton key attacks

• Pass-the-ticket

• Forged PAC (part of Golden / Silver detection)

• DCSync

• DCShadow

• AS REP roasting

• Pass-the-hash

• Overpass-the-hash

Malicious AD enumerations
Attackers carry out reconnaissance by enumerating privileged users and groups. Such activities are
usually precursors to more dangerous attacks. You can configure ADSecure to detect such
enumerations to preempt more serious attacks later in the kill chain.
ADSecure-DC can detect enumerations using the following protocols: LDAP, SAMR, and LSARPC.
For its analysis, ADSecure-DC considers only the enumerations from authenticated AD users. It raises
events for the enumeration of the following:
• Domain Controllers

• Privileged users

• Account operators

• Administrators

• Domain admins

• Enterprise admins

• Group policy creator owners

• Schema admins

• Cert publishers
• RAS and IAS servers

• Server operators

• Print operators

• Backup operators

• Builtin\Hyper-V Administrators

• Privileged groups

• Service accounts

Note: To avoid false positives, ADSecure-DC ignores enumerations by legitimate applications executed in the
system context.

Attivo Cloud User Guide 73

5 ADSecure-DC
Advantages of ADSecure-DC

Advantages of ADSecure-DC
• ADSecure-DC detects attacks and malicious activities regardless of the source endpoint. It can be
domain-joined endpoint or not. It can even be running a non-Windows operating system.

• You can configure Attivo Cloud to forward attack details as syslog messages to a SIEM or other
connectors for further correlation and mitigation.

• You only need to install Attivo Endpoint Application on the Domain Controllers and the required
application servers. No enterprise-wide installation is required to protect the AD. That is, the source
endpoint does not need Attivo Endpoint Application to be installed on it.

• The ADSecure-DC module of Attivo Endpoint Application, installed on a Domain Controller or

application server, passively detects attacks. For example, it may look at the incoming requests and
logs for analysis. ADSecure-DC does not affect the functioning of a Domain Controller or application
server.
• There is no learning period required to detect dangerous enumerations and Kerberos-based attacks.

ADSecure-DC and other AD-related features - a comparison

Though there can be some overlap in the detected attacks, the purpose and functionality of ADSecure-
DC are unique compared to other AD-related features in Attivo Cloud.
ADSecure-DC and ADSecure-EP
AS their names suggest, the purpose of both ADSecure-DC and ADSecure-EP is to protect the AD.
However, they operate from the opposite ends of the AD spectrum. ADSecure-DC operates at the
target of the attack while ADSecure-EP operates at the source.

ADSecure-DC ADSecure-EP
You need to install Attivo Endpoint Application only on For complete protection, you need to install Attivo
the Domain Controllers and the required application Endpoint Application on all the Windows endpoints
servers. except for Domain Controllers and Kerberos-aware
application servers.
Not dependent on the operating system or type of the Designed to work on Windows endpoints.
source endpoint. Therefore, it detects an adversary
even using a Linux endpoint for the attack.
No learning period required since it is passive detection. Recommendation is to deploy it in conservative mode
first to finetune the configuration accordingly.
No exclusion list is required. The Engagement Setting in Works based on the configured Exceptions policy.
the Global Settings of a Protection Policy does not apply
to ADSecure-DC.
Detects AD enumeration. Prevents attacks by hiding real AD objects in the
response, and deceives attackers by inserting deceptive
AD objects in the response.
Detects Kerberos attacks by analyzing the tickets when Detects Golden Ticket, Silver Ticket, and pass-the-
they are presented at the Domain Controllers and ticket attacks by analyzing the tickets present in client
application servers. endpoints.

ADSecure-DC and ADAssessor

74 Attivo Cloud User Guide

 ADSecure-DC
Can ADSecure-DC be deployed along with EDN features? 5

ADSecure-DC ADAssessor
Detects attacks through the Attivo Endpoint Application Attivo Cloud queries for specific AD data and assesses
installed on Domain Controllers and application servers. the data on Attivo Cloud to detect vulnerabilities,
misconfigurations, and weak policy settings.
Detects attacks in real-time by analyzing the requests Monitors for changes to AD changes to detect attacks
and logs. such as brute-force and password spray attempts.

Can ADSecure-DC be deployed along with EDN features?

You can configure EDN features on your network endpoints, and ADSecure-DC on Domain Controllers
and Kerberos-aware app servers. However, you must create separate protection policies for ADSecure-
DC and the endpoint features. Therefore, you must generate one Attivo Endpoint Application binary file
for the EDN features and another for ADSecure-DC. However, you just need one Attivo CloudLink in
your network regardless of the features you configure.

Attivo Cloud User Guide 75

5 ADSecure-DC
Deploying ADSecure-DC

Deploying ADSecure-DC
Before you configure ADSecure-DC, make sure you comply with the requirements, and you have
understood the considerations.
• Requirements
• Considerations

• High-level steps to configure ADSecure-DC

Requirements
• Click the gear icon in Attivo Cloud and then click Subscription to verify if you have enough
ADSecure-DC subscriptions. You can click Buy more licenses to request for additional subscriptions.
For the terms, conditions, and pricing details, contact Attivo Support.

76 Attivo Cloud User Guide

 ADSecure-DC
Deploying ADSecure-DC 5

• You must deploy an Attivo CloudLink in your network if not present already. Regardless of the number
of domains you want to protect or the Attivo Cloud features you implement, there must be only one
Attivo CloudLink in an enterprise network. See Deploy Attivo CloudLink for information on Attivo
CloudLink.

In the context of ADSecure-DC, Attivo CloudLink is required to query data for correlation and
analysis. Some examples are as follows:

• ADSecure-DC module requires information about privileged objects and policy settings to identify
suspicious enumerations. Attivo CloudLink also updates any subsequent changes.

• Recall that for accurate detection, you must install ADSecure-DC on all the Domain Controllers of
a domain. Attivo CloudLink updates the ADSecure-DC module if there are any Domain Controllers
without ADSecure-DC installed. For example, post-deployment, the AD team may deploy additional
Domain Controllers, which the security team may not be aware of.

To know what AD data is collected and how they are stored in Attivo Cloud, ask for Cloud Security
Considerations and Data Retention as well as AD Data in Attivo Cloud documents from Attivo
Support.

• The Domain Controllers and application servers on which you want to deploy ADSecure-DC must run
any of the following Windows operating systems:

• Windows Server 2008 R2

• Windows Server 2012 R2

• Windows Server 2016

• Windows Server 2019

• You must configure the details of the domains you want to protect in Attivo Cloud. You also need the
credentials of an AD user with at least read-only access on the AD and privileges to use WinRM service
on the Domain Controllers. The AD details you configure applies to all the AD-related features in Attivo
Cloud.

• You must have privileges to install Attivo Endpoint Application as a service in the Domain Controllers
and the required application servers.

Considerations
• You can deploy all EDN features using the same Attivo Endpoint Application binary. However, you
cannot combine ADSecure-DC with any other feature. For example, you cannot deploy ThreatStrike
and ADSecure-DC concurrently on an application server. Therefore, you must create an exclusive
protection policy for ADSecure-DC. Then, you must install the corresponding Attivo Endpoint
Application binary to deploy ADSecure-DC.

• ADSecure-DC detects enumeration over LDAP, SAMR, and LSARPC. If the traffic is encrypted,
ADSecure-DC works only for LDAP queries.

• You cannot deploy ADSecure-DC on Azure AD but you can install it on Azure AD Connect.

High-level steps to configure ADSecure-DC

1 You have reviewed and understood the Requirements and Considerations.

2 If not present already, install one Attivo CloudLink in your network.

Attivo Cloud User Guide 77

5 ADSecure-DC
Deploying ADSecure-DC

This Attivo CloudLink must be able to reach and resolve all the domains you want to protect. These
can even be domains across forests, wherein you have configured the required trusts between the
domains. You must install only one Attivo CloudLink regardless of the features you deploy. To
protect domains across forests where there is no trust between domains, you must deploy
separate Attivo CloudLink instances for each domain. See Deploy Attivo CloudLink.

3 Go to Configuration | Active Directory | AD Configuration and configure the details for all the
domains you want to protect through ADSecure-DC.

The AD details you configure apply to all the AD-related features. If you have domains across
forests, you must configure both the trusting and the trusted domains. Refer to the Online Help for
field descriptions.

Note: You cannot deploy ADSecure-DC on Azure AD but you can install it on Azure AD Connect.

4 Configure ADSecure-DC.

5 Create an exclusive protection policy for ADSecure-DC.

a Go to Configuration | Endpoint Policies | Protection Policies and create a new protection

policy.

b In the Features tab, edit the name of the protection policy as required.

c Enable ADSecure-DC and click Save.

Note: If you enable ADSecure-DC, you cannot enable other features in the same protection policy.

If you enable ADSecure-DC in a protection policy, where you have already enabled other features, then
those features are disabled automatically. Therefore, at the next update interval, Attivo Endpoint
Application instances

d Configure the required fields in the Global Settings tab.

Refer to the Online Help for the field descriptions.

The following fields do not apply to ADSecure-DC:

• Reporting Interval

• Endpoint Reporting

• Reports Throttling Interval

• Console Apps

• Exceptions

e Click Save and then click Download to generate the Attivo Endpoint Application installable and
save it in your system or network.

6 Install Attivo Endpoint Application.

For accurate detection, you must install Attivo Endpoint Application on all the Domain Controllers
(including read-only Domain Controllers) of the domains you want to protect. Also, install it on the
application servers you want to protect from Kerberos-related attacks.

Extract Windowssetup.exe from the Attivo Endpoint Application bundle and install it as a service
for all users. That is, install it with /ia and /service parameters. See Common Attivo Endpoint
Application parameters.

7 View the attack details as reported by ADSecure-DC.

For the attacks it detects, ADSecure-DC raises events with the details.

78 Attivo Cloud User Guide

 ADSecure-DC
Deploying ADSecure-DC 5

a Go to Analysis | Events.

b Filter the records with the Feature set as ADSecure-DC.

c Set other filters as necessary such as Time and Severity.

d To view the details of an attack, click the horizontal ellipsis and select Details View.

e Click on an attack description to view a detailed description, mitigation steps, and external
references.

For more information on the options and features in the Events page, see Monitoring through
the Events tab.

Configure ADSecure-DC
You can configure ADSecure-DC to monitor just the required protocols. You can configure this
differently for different domains. For example, you can configure ADSecure-DC to monitor for just the
Kerberos-related attacks for a particular child domain.

Note: The ADSecure-DC configuration applies to all ADSecure-DC deployments in your subscription.

Steps:
1 Go to Configuration | Endpoint Policies | ADSecure-DC.

2 Change the Mode if required.

When an attacker enumerates the Domain Controllers, privileged users or groups, or service
accounts, ADSecure-DC immediately raises an event. Attackers may also attempt less dangerous
enumerations in a build-up to a more dangerous attack. An example could be enumeration of a
standard user group or computer group for lateral movement. To detect such activities, ADSecure-
DC has a score-based detection mechanism. Mode applies only to this score-based detection
mechanism, and does not apply to the enumeration of critical objects.

The Aggressive mode has the least threshold for enumeration of standard AD objects, and
Conservative has the highest threshold level. Therefore, you can first select Conservative and
then progress to other modes over time.

Note: Mode currently applies only to SAMR and LSARPC.

3 You can enable ADSecure-DC to monitor just the required protocols. If required, you can configure
this differently for different AD.

a To apply the same configuration for all the configured AD, select Common for all domains.

b You can disable the protocols you do not want ADSecure-DC to monitor. For example, if you disable
Kerberos, then ADSecure-DC does not monitor for any Kerberos-related attacks.

Attivo Cloud User Guide 79

5 ADSecure-DC
Deploying ADSecure-DC

c To configure ADSecure-DC differently for some of the domains, select Individually for domains.
You can configure ADSecure-DC as per your requirement at any level in a domain tree.

The tree structure for all the domains you have configured under Configuration | Active
Directory | AD Configuration are displayed.

d To configure differently for a domain at any level, click the corresponding cogwheel icon.

e Disable the protocol as required. For example, if you disable SAMR, then ADSecure-DC does not
raise events for enumerations over the SAMR protocol.

f If you want the same configuration to apply to the child domains of the domain you selected, check
Apply to sub-domains. To configure differently for any child domain, uncheck this option and then
make the configuration changes for the required child domain. Then click Save.

If you disable a protocol for a particular domain, then it is indicated in red as in the screenshot
above.

g Click Save.

If you are editing post-deployment, then the changes take effect from the next update interval.

80 Attivo Cloud User Guide

6 Configuring cloud decoys

After adding your cloud account in Attivo Cloud, you can configure the cloud decoys and deploy them in
your cloud environments. When attackers attempt to target your network using these decoys assuming
that they are actual, then Attivo Cloud raises events which help you take necessary action.

Configuring AWS cloud decoys

Attivo Cloud provides pre-defined default decoys for each of the supported AWS services. You can
either choose to use the default decoys or configure the decoys (custom) as per your requirement. The
currently supported AWS services are Access Keys, S3 Buckets, Serverless - Lambda Web App,
Dynamo DB, and, Lambda function.
Before you begin:
• We assume that, currently you are in Configuration | Cloud | AWS | Decoy Configuration page
in Attivo Cloud to configure the AWS cloud decoys.

• You have selected the AWS account for which you are going to configure the decoys.

Common notes for configuring decoys for AWS services:

• To add default decoys for the services you just need to click ‘+’ icon present for each of the service.
Each time you click + icon for a service, it increments the default decoy number by 1. To decrease
the number default decoys, you need to use - icon.

• You can add up to 5 default decoys for each of the services.

• For the first time, the default decoy value will be displayed as 0 for each of the service. It indicates
that no default decoys have been configured and the status will be displayed as Nothing Configured.
You can either add a default decoy for the resource by clicking + icon or add a custom decoy by using
Configure Now button. You can configure as many custom decoys as you want.

Important: At least one Access Key and S3 Bucket should be configured first to continue with deploying of
cloud decoys.

Note: If you make any changes in the decoy configuration but do not deploy them, then the changes will be
persisted.

Creating deceptive Access Keys

Access keys are credentials for IAM users in AWS. Create deceptive users with fake access keys and
Attivo Cloud will raise events if these users try to access any of the supported services.
Steps:
1 Under Deception Configuration, click Add/Edit button present for Access Key service.

Attivo Cloud User Guide 81

6 Configuring cloud decoys
Configuring AWS cloud decoys

2 Enter the following details.

Field Description
Group Name Enter a name for the deceptive IAM group that you are creating in your AWS account.
Group Policy Name Enter a name for the deceptive IAM group policy that you are creating in your AWS
account.
User Enter the fake user names which are going to be present within the IAM group.

3 Click Add.

4 Repeat the above steps to add more custom deceptive Access Keys.

Create deceptive S3 buckets

Create decoy S3 buckets with some fake content in them so that Attivo Cloud can raise events when
these buckets are accessed.
Steps:
1 Under Deceptive configuration, click Add/Edit link present for S3 Bucket service.

2 Enter the following details.

Field Description
Bucket Name Enter a name for the S3 bucket.
File Import Import a zip file into your S3 bucket.

3 Click Add.

4 Repeat the above steps to add more custom deceptive S3 buckets.

Create deceptive Serverless - Lambda Web Application

Create a fake static website (for example, Human Resource Management System (HRMS) in your
organization, so that Attivo Cloud can raise events when this website is accessed.
Steps:
1 Under Deceptive configuration, click Add/Edit present for Serverless - Lambda Web
Application.

2 Enter the following details.

Field Description
Lambda Function Enter the name of the Lambda function that will write the bucket logs to CloudWatch logs.
Role Enter the name of the role.
Policy Name Enter the policy name.
API Gateway Name Enter the API gateway name.
Landing page Displays the landing page of your static website.
Template The default content is a Human Resource Management system website.
Route 53 domain Enter your registered Route 53 domain name.
name
S3 bucket region Choose the region where you want the S3 buckets to reside.
Website Choose Public if you want your website to be publicly accessible.
Choose Private if you want to restrict the accessibility to a VPC. You can specify the VPC
details in VPC ID & VPC Region.

3 Click Add.

4 Repeat the above steps to add more custom deceptive Serverless - Lambda Web Apps.

82 Attivo Cloud User Guide

 Configuring cloud decoys
Configuring Azure cloud decoys 6

Create deceptive DynamoDB

Create a fake Dynamo DB so that Attivo Cloud can raise events when this Dynamo DB is accessed.
Steps:
1 Under Deceptive configuration, click Add/Edit for Dynamo DB service.

2 Enter the following details.

Field Description
DB Name Enter a name for the Dynamo DB table.
File Import Import a CSV file that has the data for your Dynamo Database.

3 Click Add.

4 Repeat the above steps to add more custom deceptive Dynamo DBs.

Create deceptive Lambda Function

Create a fake lambda function so that Attivo Cloud can raise events when this Lambda function is
accessed.
Steps:
1 Under Deceptive configuration, click Add/Edit for Lambda Function.

2 Enter the following details.

Field Description
Role Enter the name of the Role.
Policy Name Enter the name of the policy.
Add Click Add to add a lambda function.
Function Enter the name of the lambda function.
Use API Gateway Choose Yes to be able to invoke the deceptive AWS lambda functions using API gateway.
API Gateway Name Enter the name of the Amazon API gateway.
Base Path Enter the base path.
Path Enter the path.

3 Click Add.

4 Repeat the above steps to add more custom deceptive Lambda Functions.

Configuring Azure cloud decoys

To configure your Azure Cloud decoys, you must choose the Subscription and the required Resource
group in which you want to deploy the decoy resources. You can create decoys for the following Azure
resources: Blob Storage, File Storage, Cosmos DB, Azure Function App, and, Web App.
Before you begin:
• We assume that you are currently in Configuration | Cloud | Azure | Decoy Configuration page
and you have selected the required Subscription and the Resource Group.

Common notes for configuring decoys for Azure resources:

• To add default decoys for the resources you just need to click ‘+’ icon present for each of the resource.
Each time you click + icon for a resource, it increments the default decoy number by 1. To decrease
the number default decoys, you need to use - icon.

Attivo Cloud User Guide 83

6 Configuring cloud decoys
Configuring Azure cloud decoys

• You can add up to 5 default decoys for each of the resource.

• For the first time, the default decoy value will be displayed as 0 for each of the resource. It indicates
that no default decoys have been configured and the status will be displayed as Nothing Configured.
You can either add a default decoy for the resource by clicking + icon or add a custom decoy by using
Configure Now button. You can configure as many custom decoys as you want.

Note: If you make any changes in the decoy configuration but do not deploy them, then the changes will be
persisted.

Creating deceptive Blob Storage

Azure Blob storage is a service for storing large amounts of unstructured object data, such as text or
binary data.
Steps:
1 Click Configure button present inside Blob Storage section.

2 Blob Storage dialog to add the details is displayed.

Field Description
Storage Name Name for the Storage to be used while creating the deceptive Blob Storage under the
selected Subscription and Resource Group.
Storage Location Select the Region where the deceptive Blob Storage is required to be deployed.
Storage Container Name for the Storage container in which the deceptive Blob Storage is required to be
Name present.
File Import Click Browse button to upload the deceptive Blob Storage.
Add Click to Add the deceptive Blob Storage.
Clear Click to erase the entered details.

3 Repeat the steps above and add the required number of deceptive Blob Storages. Once adding all the
Blob Storages, click Close icon to close the Blob Storage dialog.

Creating deceptive File Storage

Azure File storage is a fully managed distributed file system that is based on the SMB protocol.
Steps:
1 Click Configure button present inside File Storage section.

2 File Storage dialog to add the details is displayed.

Field Description
Storage Name Name for the Storage to be used while creating the deceptive File Storage under the
selected Subscription and Resource Group.
Storage Location Select the Region where the deceptive File Storage is required to be deployed.
File Share Name Name of the File Share system in which the deceptive File Storage needs to be deployed.
File Import Click Browse button to upload the deceptive File Storage.
Add Click to Add the deceptive File Storage.
Clear Click to erase the entered details.

3 Repeat the steps above and add the required number of deceptive File Storages. Once adding all the
File Storages, click Close icon to close the File Storage dialog.

84 Attivo Cloud User Guide

 Configuring cloud decoys
Configuring Azure cloud decoys 6

Note: Creating decoy File Storage and generating Attivo Endpoint Application does not create any deceptive
tokens (lures) on the endpoints. Therefore, the events will be generated only when the attacker tries to
access the File storage from Azure directly.

Creating deceptive Cosmos DB

Cosmos DB is a fully managed No SQL database service for the app development.
Steps:
1 Click Configure button present inside Cosmos DB section.

2 Cosmos DB dialog to add the details is displayed.

Field Description
DB Name Name for the deceptive Cosmos DB.
Cosmos DB API type API type to be used while creating the Cosmos DB.
Cosmos DB Location Region where the deceptive Cosmos DB needs to be deployed.
Container ID ID of the container in which the deceptive Cosmos DB needs to be deployed.
Database ID ID of the Database in which the deceptive Cosmos DB needs to be deployed.
Partition Key Partition key to be used while deploying the deceptive Cosmos DB.
Add Click to Add the deceptive Cosmos DB.
Clear Click to erase the entered details.

3 Repeat the steps above and add the required number of deceptive Cosmos DBs. Once adding all the
Cosmos DBs, click Close icon to close the Cosmos DB dialog.

Creating deceptive Azure Function App

A function app lets you group functions as a logical unit for easier management, deployment, scaling,
and sharing of resources.
Steps:
1 Click Configure button present inside Azure Function App section.

2 Azure Function App dialog to add the details is displayed.

Field Description
Function App Name Name of the deceptive Function app.
Function App Region in which the deceptive Function app needs to be deployed.
Location
Function Name Function name to be used in the deceptive Function App.
Storage Name Name of the Storage in which the deceptive Function App needs to be deployed.
Add Click to Add the deceptive Function App.
Clear Click to erase the entered details.

3 Repeat the steps above and add the required number of deceptive Function Apps. Once adding all the
Function Apps, click Close icon to close the Azure Function App dialog.

Attivo Cloud User Guide 85

6 Configuring cloud decoys
Configuring Azure cloud decoys

Creating deceptive Web App

Azure Web App Service is an HTTP-based service for hosting web applications, REST APIs and Mobile
applications.
Steps:
1 Click Configure button present inside Web App section.

2 Web App dialog to add the details is displayed.

Field Description
Web App Name Name for the deceptive Web App.
App Service Web Region in which the deceptive Web App needs to be deployed.
App Location
Index Document Name of the Index document.
Name
Error Document Path for storing the error document.
Path
File Import Click Browse button to upload the deceptive Web App.
Add Click to Add the deceptive Web App.
Clear Click to erase the entered details.

3 Repeat the steps above and add the required number of deceptive Web Apps. Once adding all the Web
Apps, click Close icon to close the Azure Web App dialog.

86 Attivo Cloud User Guide

7 Managing endpoint policies

Configuring scanner policies

There could be certain endpoints in your network such as scanners which you want Attivo Cloud to
engage but do not want the events to be displayed in the Attivo Cloud - Events page.
Engage but suppress the events: Attivo Cloud allows you to configure the scanner policy for such
endpoints. Once you configure a scanner policy for an endpoint, that endpoint becomes whitelisted/
excluded. The Attivo Cloud does engage the endpoint and generates events for the endpoint. However,
these events are not displayed in the Events page.
Note:
• When you create a scanner policy record, the earlier events from the same endpoint are still displayed
in the Events page. Only the subsequent events from the excluded endpoints are hidden from being
displayed in the Events page.

• Events generated during the excluded period are never displayed in the Events page even when you
remove the corresponding exclusion rule.

Creating scanner policies

A scanner policy defines the criteria for exclusion. You can define one or more scanner policies. You can
either manually create the scanner policies or create the scanner policies in bulk by importing the
details from a .csv file.

Manually create scanner policies

In a scanner policy, you can specify a single IP address or a range of IP addresses or the hostname of
the endpoint.
Steps:
1 In Attivo Cloud, click Configuration | Endpoint policies | Scanner Policies.

Scanner Policies page is displayed.

2 Click Add button.

Add Policy page is displayed.

3 Enter a name for policy in the Name field.

4 In the Description box, enter information about the scanner policy.

For example, you can enter the purpose of this policy. You need the description to easily locate the
record in the Scanner page.

5 Under Source IP(s) section, select Single IP or IP Range or Hostname based on how you want to
define the IP addresses.

• If you select Single option, you need to enter the IP address which you want to whitelist.

• If you select IP Range option, you need to enter the start and end IP addresses.

Attivo Cloud User Guide 87

7 Managing endpoint policies
Configuring scanner policies

• If you select the Hostname option, you must enter the name of the host that needs to be
whitelisted.

6 Under Source Ports section, optionally enter the source port number(s) or port numbers range in
the Port(s) field. Each of the source port number and port numbers range should be separated by
comma.

7 Under Destination Ports section, optionally enter the destination port number(s) or port numbers
range in the Port(s) field. Each of the destination port number and port numbers range should be
separated by comma.

8 Under Pattern section, add a string and click + icon.

The string can be any random text/phrase/numeric value which you expect that it may be present
in the events and you want such events to be suppressed.

9 Once you have added all the details, click Save.

Importing a .csv file to create scanner policies

If you have too many scanner policy records to configure, you can create a .csv file with the scanner
policy definitions and import it into Attivo Cloud. You can manually create a .csv file if you know the
format/header names to be used for each of the fields.

Exporting the empty .csv file

Attivo Cloud provides an easy option which will provide an empty .csv file having the headers by
default.
If you have not created any scanner policies and want to create using a .csv file, you can just export
the empty .csv file, add the details in the .csv file and import it again into Attivo Cloud. Scanner policy
records get created as per the details present in the imported .csv file.
Steps:
1 Click Configuration and select Endpoint Policies | Scanner Polices.

Scanner Policies page is displayed.

2 Click Export button.

The empty .csv file gets downloaded.

Note: Empty .csv can be downloaded only where there are no existing policy records already present in
the Scanner Policies page.

Defining the values in .csv file

When you open the empty .csv file, the headers for each of the fields present in a Scanner Policy is
displayed.

Add the details in the corresponding cells in the .csv file:

Name: Enter a name for the scanner policy you are creating.
Description: Enter a description which describes about the scanner policy you are creating.
Source Type:
• If you are whitelisting a single IP then you must enter the value as ‘source_ip’.

• If you are whitelisting a range of IP addresses, then you must enter the value as ‘range_ip’.

• If you are whitelisting an endpoint by its hostname, then you must enter the value as ‘host_name’.

88 Attivo Cloud User Guide

 Managing endpoint policies
Configuring scanner policies 7

Start IP: You must enter the IP address which you want to whitelist. If you are whitelisting a range of
IP addresses, then you must enter the starting IP address of the range.
End IP: You must enter the last IP address in the range. This is required when you are whitelisting a
range of IP address.
Hostname: When you are whitelisting an endpoint by its hostname, then you must enter the exact
hostname of the endpoint.
Source Port: You must enter the source port number by which the endpoint must be whitelisted.
Destination Port: You must enter the destination port number by which the endpoint must be
whitelisted.
Pattern: Enter the pattern string by which the endpoint must be whitelisted.

Importing the .csv file

Once the .csv file is ready, you must import it into Attivo Cloud create the scanner policies records.
Steps:
1 Click Configuration and select Endpoint Policies | Scanner Policies.

Scanner Policies page is displayed.

2 Click Import button.

CSV Import dialog is displayed.

3 Click Browse button in the File Import field, navigate to the folder location where you have saved
the .csv file and select it.

4 Click Add button.

The .csv file gets imported to Attivo Cloud.

5 The scanner policy records get created as per the details present in the .csv file.

6 Click Save.

Editing/deleting a scanner policy

You can edit or delete a scanner policy from the Scanner Policies page.
Steps:
1 Click Configuration and select Endpoint Policies | Scanner Polices.

Scanner Policies page is displayed.

2 Select the record you want to edit or delete.

You can search for records by entering a search string in the Search box. Any record containing
the search string is listed.

3 To edit the policy, click Edit and modify the details as required.

4 To delete the whitelist records, select the required records and Delete button.

5 After you edit or delete the whitelist records, click Save.

Exporting scanner policies

You can export all the scanner policies records to a .csv file.
Steps:
1 Click Configuration and select Endpoint Policies | Scanner Polices.

Scanner Policies page is displayed.

2 Click Export button.

All the Scanner Policy records are exported to a .csv file and the file is downloaded.

Attivo Cloud User Guide 89

7 Managing endpoint policies
Managing DNS policies

Notes:
• If the definitions in the .csv file do not meet the specifications, the whitelist records fail to be created.

• The Attivo Cloud ignores those rows which are not as per the specification but creates the records for
those records which meet the specification.

• Invalid entries in the .csv file are ignored during import and records are created only for those with
valid entries.

• If all the entries in the .csv file are invalid or do not conform to the specified format, then none of the
entries are imported even if message indicating successful import is displayed.

• Whitelist entries are skipped in the following scenarios.

• If the whitelist IP starts with 0 or 255, and / or IP is invalid.

• If the range is not valid. For example: 10.16.1.20-10.16.1.10.

• If source or destination port number is set to 0.

Managing DNS policies

Specify the decoy IP addresses

Define a list of decoy FQDNs (that is, fake DNS names) and a list of decoy IP addresses in the Attivo
Cloud. Attivo Cloud then randomly maps each decoy IP address to a decoy FQDN, and uses these decoy
IP address - FQDN pairs to deceive adversaries.

Note: The decoy FQDNs must not resolve to any IP address on your network. That is, you must not create
records for these decoy FQDNs on your production DNS.

The decoy IP addresses you enter are not acquired from the DHCP server nor configured on the
endpoints.
Before you begin:
Make a list of decoy FQDNs and a list of decoy IP addresses you want to use. You can enter IP
addresses as well as CIDR notations. If you provide CIDR notations, then the Attivo Cloud automatically
computes the corresponding IP addresses for the given CIDR.
Steps:
1 Select Configuration | Endpoint Policies | DNS Policies.

2 To import the list of FQDNs from a CSV file do the following:

90 Attivo Cloud User Guide

 Managing endpoint policies
Managing DNS policies 7

a Click the Export CSV file icon in the DNS Names to Intercept section to download a sample
CSV file.

b In the sample CSV file, enter the decoy FQDNs in each line and save the file.

c In Attivo Cloud, click the Import CSV file icon and import the entries from the CSV file.

The decoy FQDNs from the file are added to the list of existing FQDNs

d To add individual decoy FQDNs, enter it in the text box and click +

e Similarly, enter the decoy IP addresses or import them from a CSV file in the IP Addresses to
Intercept section.

You can enter CIDR notations or IP addresses. Example: 192.0.2.0/24

f Click Save.

Note:
• Attivo Cloud creates random FQDN-IP address pairs. To view these records, click Configuration
Report.

• If you delete, modify, or add an FQDN or an IP address, only the corresponding records are modified.
The other pairs remain unchanged.

• If there are more FQDNs than the IP addresses, then multiple FQDNs may be mapped to the same IP
address. Attivo Cloud ensures all the defined FQDNs have at least one IP address mapped to them. If
you add more IP addresses subsequently, then mappings are altered such that the new IP addresses
are utilized.

Attivo Cloud User Guide 91

7 Managing endpoint policies
Managing Exception policies

• If there are less FQDNs than the IP addresses, then the number of records matches the number of
FQDNs. For example, if there are 5 FQDNs and 10 decoy IP addresses, then only 5 records of FQDN-
IP address pairs are created.

Important: You must install Attivo Endpoint Application as a persistent service.

• You can add up to 1000 decoy FQDNs under DNS Names to Intercept section and 1000 decoy IP
address under IP Addresses to Intercept section. Therefore, you can have up to 1000 FQDN - IP
pairs under DNS policies configuration.

Managing Exception policies

EDN features like ADSecure-EP and DataCloak act on queries executed from untrusted processes.
Exceptions are criteria-based rules, which you can create. Based on these rules, the relevant EDN
features distinguish the queries they must act on, and the queries they can safely ignore.

Exceptions - an overview
You define exception rules in an Exception Policy. This section explains how to manage Exception
Policies.
You can create rules in an Exception Policy for the following EDN features:
• ADSecure-EP

• DataCloak

Note: For Deflect, you create exception rules in the corresponding Protection Policy.

Purpose of exception rules

ADSecure-EP and DataCloak function by validating the source of a query and not the query itself. For
these features, you can configure Attivo Endpoint Application to act on all queries, that is trust none
except the ones you specify. Alternatively, you configure Attivo Endpoint Application to act on queries
just from the processes you specify.
An Exception policy can be one of these two types - allow policy or intercept policy. For Attivo Endpoint
Application to act on all the queries and exempt just the ones you specify, you define an allow policy.
For Attivo Endpoint Application to act on queries just from specific processes, you define an intercept
policy.
In a protection policy, you specify whether to implement allow or intercept policies. Then Attivo
Endpoint Application implements the rules from the corresponding allow or intercept policies. By
default, protection policies are associated with allow policies.
• If you select Allow in the protection policy, then Attivo Endpoint Applications intercepts and acts on
the queries from all processes and services. Only the queries that meet the criteria as per the allow
rules are exempted.

Note: If an allow rule matches, Attivo Endpoint Application allows the corresponding queries. These
queries are not reported and no events are raised as well.

• If you select Intercept in the protection policy, then Attivo Endpoint Application intercepts and acts
on just those queries from the processes as per the intercept rules.

Is it mandatory to create exception policies?

Not mandatory. Though not viewable in the UI, a default list of allow rules and intercept rules are
present, and are applied as per your selection in the protection policy.

92 Attivo Cloud User Guide

 Managing endpoint policies
Managing Exception policies 7

The default allow rules exempt well-known security applications and other safe processes, which
execute queries for legitimate purposes. The default allow rules are broad-based. If you need allow
rules based on specific criteria like the parent process, current directory, user, and computer, you can
create allow rules.
The default intercept rules include processes, which are commonly used by adversaries. For example,
there are tools such as Bloodhound used by attackers for recon attacks on the Active Directory.
The exception rules you create are applied in addition to the default rules.
You cannot view the default exception rules in Attivo Cloud. You must contact Attivo Support for the
default exception rules. The default exception rules cannot be customized.

Tip: Review the default allow and intercept rules to determine if you need to create additional ones.

The subsequent sections detail the exception rules you can create.

How do exceptions work?

Using the Exceptions module, you can create specific rules to allow or intercept the required queries.
For example, you can create allow rules to exempt Windows PowerShell scripts for specific users (IT
administrators, for example), but only when the scripts are launched from specific folder paths. You can
even make the rule more granular by defining the queries, which a script is expected to run.
You can apply exceptions based on features (ADSecure-EP and DataCloak, for example) as well as
users (IT administrators and normal users, for example). This way, you can ensure the exceptions you
create do not allow any malicious queries to get through.
To enable such a high-level of granularity, the Exceptions module provides controls at various levels,
which are discussed in this section.

Configurations that impact exceptions

Configuring exceptions is at the following three levels:
1 As discussed earlier, you must select either Allow or Intercept in the protection policy.

At a given point in time, an Attivo Endpoint Application instance can implement either allow rules
or intercept rules for the applicable EDN features. For example, an Attivo Endpoint Application
instance cannot enforce allow rules for ADSecure-EP and intercept rules for DataCloak. To indicate
the type of rules (allow or intercept), you need to select either Allow or Intercept in a protection
policy. The default selection is Allow.

2 Tag each exception policy with the required protection policies.

You must tag an exception policy with one or more protection policies. At the next update interval,
Attivo Endpoint Application instances automatically consume the rules from all the applicable
exception policies.

3 In an exception policy, select the features for which Attivo Endpoint Application must apply the rules
in that policy. See Features relevant to exceptions.

For example, you might want DataCloak to allow certain applications used by your IT
administrators, but not by ADSecure-EP. In this case, you select DataCloak as the feature in the
Exception policy.

Features relevant to exceptions

You can apply an allow policy or an intercept policy to one or more of the following features:
• DataCloak: As discussed in the overview, exceptions are applicable for the Protect Files & Folders
and Protect Network Shares features. If you select DataCloak in an exception policy, then that
policy applies to the following types of queries:

• Local drive - This query type is related to enumeration or any action related to files and folders.

• SMB share - Related to enumeration or any action related to real (not decoy) network drives.

Attivo Cloud User Guide 93

7 Managing endpoint policies
Managing Exception policies

• ADSecure-EP: If you select this option in an exception policy, then that policy applies to queries
targeting the production AD. Following are the types of queries the exception policy impacts:

• Script - This query type is related to AD queries executed using a script. For example, it is common
for AD administrators to run queries through scripts as part of their job.

• LDAP search - Related to LDAP queries from untrusted sources upon which ADSecure-EP had acted
upon. For example, an attacker might use LDAP query to get the list of domain controllers.

• API calls - Related to API calls made by processes to query the AD. For example, an attacker uses
BloodHound or Windows PowerShell cmdlets, which make an API call to query the AD.

• Console Apps (Applications) - This selection applies to commands executed in Windows Command
shell, PowerShell, and Mimikatz. Examples are net commands and klist.

The query type is console input and can impact both ADSecure-EP and DataCloak. For Attivo
Endpoint Application to intercept console input, the following configurations are required in the
Global Settings tab of the protection policy:

• In the Communication Settings, you must set the Endpoint Reporting option to Aggressive.

• In the Engagement Settings, you must select the Console Apps option.

Understanding the allow policy

An allow policy provides a range of options for flexibility. Therefore, you can create broad-based rules
using * as a wildcard character. You can also create very precise and targeted rules by defining specific
criteria.
In allow rules, the criteria is broadly classified into 3 categories: Process or service, User, and Host.
Within each category, you can define multiple rows of information. For example, you can have a row for
powershell.exe, another row for traceview.exe, and so on. In each of these rows, you define the criteria
to exempt queries from that particular process. For example, you can define to allow queries from
powershell.exe, if the working (current) directory of Windows PowerShell is C:\Users\jdoe\.
• A Process/Services row is considered as a match only if all the criteria in that row matches (AND
condition). Consider you defined a row as follows:

• Process Name: powershell.exe

• Process Path: C:\Windows\System32\WindowsPowerShell\v1.0

• Working Directory: C:\Users\jdoe\

Then all these 3 criteria must match for this row to be considered a hit. If you specify criteria for
any of the advanced options, then even those must match for a hit.

• In the Users category, you can select domain users or enter local user names, which you want to
include as part of the criteria. You can specify multiple users in the same row or create a row for each
user. Regardless of whether you specify one user in each row or multiple users in the same row, it is
an OR condition.

• Similar to the users, you can select domain-joined hosts (computers) or enter host name as part of
the criteria.

Within a category, OR condition applies between rows of information. Consider you defined two rows
with the process name being powershell.exe in both, but the working directory as C:\Users\jdoe\ for
one and C:\Users\mdoe\ for the other. Now, the condition is true if the working directory of
powershell.exe matches either of those paths.
You can create an allow rule with any one of the categories or in any combination. Between categories,
AND condition is applicable.
Consider the simple allow rule shown in the screenshot below.

94 Attivo Cloud User Guide

 Managing endpoint policies
Managing Exception policies 7

The allow rule in the screenshot translates to:

Name of the process used for the query is powershell.exe AND the process path or powershell.exe is
C:\Windows\System32\WindowsPowerShell\v1.0 AND the working directory of powershell.exe is
C:\Users\jdoe AND the parent process of powershell.exe is explorer.exe.
OR
The name of the process used for the query is powershell.exe AND the process path or
powershell.exe is C:\Windows\System32\WindowsPowerShell\v1.0 AND the working directory of
powershell.exe is C:\Users\sadam AND the parent process of powershell.exe is explorer.exe.
AND
User executing the query is joe doe OR Scott Adam
AND
The endpoint from which the query is executed is JDOE-PC OR AUTOMATION-PC
Similarly, if you specify other parameters like the command line, query, service name, and so on then
all those fields should match for the process / service to be considered a hit.

Configuring exception policies

You create the allow policies and intercept policies separately. Per subscription, you can create up to a
maximum of 1000 exception rules that include both the allow and the intercept rules.

Note: Each exception rule is mutually exclusive. That is, each exception rule is evaluated separately with no
relation to another rule.

Tip: Contact Attivo Support to review the default allow and intercept rules and determine if you need to
create additional ones.

Attivo Cloud User Guide 95

7 Managing endpoint policies
Managing Exception policies

Configure an allow policy

This section provides the detailed steps to create an allow policy. Compared to the intercept rules, the
allow rules have more options to define specific criteria. To understand how an allow rule is evaluated,
review Understanding the allow policy.

Steps:
1 Navigate to Configuration | Endpoint policies | Exceptions policies.

2 Click Add Allow Policy.

3 Enter a rule name for identification purposes.

4 Select the protection policies for which this allow policy is applicable.

To know how your selection impacts functionality, see Understanding the allow policy

5 Select the features for which this allow policy is applicable.

To know how your selection impacts functionality, see Features relevant to exceptions.
6 Create a Process/Services row with the required criteria.

A blank record is displayed by default. To create more rows, click +Add Process.

Important: In an allow rule, you need not enter values for all the fields. However, the lesser values you
specify, the broader the exception. With broad exceptions, malicious queries might be able to pass
through undetected.

Consider a Process/Services row, where you have provided just the working directory. Then, Attivo
Endpoint Application exempts any process executed from this folder. Therefore, make sure you don’t
create broader rules than needed.

• Process Name: Enter the process name with the extension. Example: powershell.exe.

For example, you want to add the 32-bit and 64-bit Windows PowerShell to the allow rule. Then,
create a record mentioning just the process name. Alternatively, create 2 records with the
corresponding paths.

• Process Path: Enter the absolute path to where to the process is located.

You can get the process name and path from the properties of the process. Enter the path as
exactly as shown in the properties of the process (no backslash at the end in this example).

You can also get the process name, path, and publisher from the Endpoint Reports.

96 Attivo Cloud User Guide

 Managing endpoint policies
Managing Exception policies 7

• If you provide the process path, then process name is mandatory.

• You can use environmental variables to indicate the Windows installed directory. Examples:
%WINDIR%\System32 (or) C:\WINDOWS\System32.

• The process path can contain the wildcards ‘*’ and ‘?’.
• Working Directory: This is the current directory, from where a process is executed. For example,
AD administrators are using a tool, which regularly queries the AD for legitimate purposes. To
exempt these queries, you can use the folder from which AD administrators are expected to
execute the tool.

You can get the working directory (current directory) in the Process Explorer. Locate the
process in Process Explorer, then right-click to view the properties.

• If you specify the working directory, it is not mandatory to provide other values, including
process name.

Attivo Cloud User Guide 97

7 Managing endpoint policies
Managing Exception policies

• You can use environmental variables to indicate the Windows installed directory. Examples:
%WINDIR%\System32 (or) C:\WINDOWS\System32.

• The working directory you specify can contain wildcards ‘*’ and ‘?’.

7 Click the gear icon next to Process/Services.

• If the rule is for a service, select Is Service and enter the service name in the corresponding field.
Enter the service name as displayed in the properties of that service.

You can also enter just the service name and leave the process-related fields like the process
name and process path empty.

• If the service name is same but installed in different locations, then create different records with
the corresponding paths.

• Include sub-directory: This option applies only if you provide process path or working directory.
Select it to automatically include the subdirectories of the process path or the working directory in
the criteria. See the tooltip for more details.

• Allow all children: Select to exempt all child processes of a process.

8 Click Show Advanced to configure the following criteria.

• Publisher: To include the publisher name as a criteria, enter the publisher’s name of the process,
exactly as displayed in the Task Manager.

Specifying only the publisher name in a row makes the allow rule too broad. Therefore, you
must additionally provide the process name, process path, or the working directory.

98 Attivo Cloud User Guide

 Managing endpoint policies
Managing Exception policies 7

• Command Line: You can specify the command line of a process as a criteria. You can enter the
exact command line as showed in the Task Manager. You can also use regular expressions to define
the command line. It is not mandatory to provide the process name if you provide the command
line.

• Query: This option is applicable only to ThreatStrike. Consider that you have configured a folder to
hide. However, a process needs to access a file or sub-folder to function. Then, you can enter the
corresponding query for Attivo Endpoint Application to allow that query. You can also use regular
expressions in this query. It is not mandatory that you must enter the process name, if you provide
the query.

Consider you have hidden all the files and folders in the homepath. However, powershell.exe
requires its history file to function, and displays this error message.

To allow powershell.exe to access its history file, you can enter

C:\%HOMEPATH%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_h
istory.txt in the Query field. Alternatively, you can also enter *.txt in the Query field.

• Parent Process Name: For example, if you enter powershell.exe as the process and cscript.exe
as the parent process, then powershell.exe is exempted if its parent process is cscript.exe.
However, the parent process is not whitelisted.

Similar to the process, you can specify other parameters for the parent process. Note this
regarding Allow all children option for the parent process. Consider that you have defined
cscript.exe as the parent process and you have selected Allow all children option for cscript.exe.
Then, cscript.exe launches powershell.exe, which in turn calls cmd.exe. Now, both
powershell.exe and cmd.exe are exempted, but not cscript.exe.

9 You can add a local or domain user name in the allow rule.

• Enter a local user name in the following format: host name\user name. This format is same as the
result of the whoami command.

• You can enter a domain user name or a domain object like a security group or OU.

• You can enter the user name in the following formats: NetBIOS name of the
domain\sAMAccountName of the user (or) domain name\sAMAccountName of the user. Enter
the same sAMAccountName as displayed in the Attribute Editor tab of Active Directory Users and
Computers. Example: acmecorp\jdoe

• You can click the search icon and define the filters to retrieve the user objects. This is similar
to the process explained for the Add tab in the ADSecure-EP profile. After the search is
complete, you can use the filter option to easily locate a user. You can also export the search
results to a CSV file, if required.

Attivo Cloud User Guide 99

7 Managing endpoint policies
Managing Exception policies

10 You can add the computer name of an unjoined host or the FQDN of a domain-joined host in the allow
rule.

• In case of unjoined host, enter the computer name as in the system properties.

• To add domain-joined computers, you can enter the dnsHostName value, which you can find in
the Attribute Editor tab of Active Directory Users and Computers. Alternatively, click the search
icon and define the filters to retrieve the computer objects. You can also select AD objects like OU
to include all the corresponding computers in the rule.

11 Click Save to save the allow rule.

The corresponding Attivo Endpoint Application instances automatically consume the allow rule at
the next update.

Configure an intercept policy

Compared to the allow rules, the intercept rules are flat rules with lesser options. This section provides
the detailed steps to create intercept rules.
Steps:
1 Navigate to Configuration | Endpoint Policies | Exception policies.

2 From the list, select Add Intercept Policy.

3 Enter a rule name for identification purposes.

4 Select the protection policies for which this intercept policy is applicable.

To know how your selection impacts functionality, see Understanding the allow policy

5 Select the features for which this intercept policy is applicable.

To know how your selection impacts functionality, see Features relevant to exceptions.

6 Refer to Configure an allow policy and enter the process name, process path, and publisher name and
click Save.

The corresponding Attivo Endpoint Application instances automatically consume the allow rule at
the next update.

100 Attivo Cloud User Guide

 Managing endpoint policies
Managing protection policies 7

Managing protection policies

Lures, ThreatPath, DataCloak, Deflect, and ADSecure-EP are the endpoint security features available as
part of the EDN module in Attivo Cloud.
Using Lures you can install deceptive credentials on endpoints. ThreatPath displays potential attack
paths based on information gathered from endpoints. Using Deflect you can engage any connection
attempts on non existing services on an endpoint. To use any of the endpoint security features, you
must generate Attivo Endpoint Application and install it on the required endpoints.
Attivo Endpoint Application performs the required tasks on endpoints to implement an endpoint security
feature as per your configuration. In case of Lures, for example, Attivo Endpoint Application carries the
deceptive tokens you defined in a protection policy and installs them on endpoints as per the
randomization logic you specified in the Lures profile.
Steps to deploy Attivo Endpoint Application
1 Create a Protection policy.

2 Generate Attivo Endpoint Application.

3 Install Attivo Endpoint Application on endpoints.

Access Protection for Attivo Endpoint Application

By providing a nondescript or a generic name to the Attivo Endpoint Application service, you can
minimize the chances of users or malware from tampering with the Attivo Endpoint Application service.
For added security, you can authorize user accounts, which can modify the functional state of Attivo
Endpoint Application. Except the exempted user accounts and users with the access key, no user can
modify the status of Attivo Endpoint Application service. Even the local administrator and other
privileged users need an access key to change the status of Attivo Endpoint Application service. The
option to protect Attivo Endpoint Application service is referred to as Access Protection. You configure
Access Protection for an Attivo Endpoint Application instance in the corresponding protection policy.

Note: Access Protection is not enabled by default.

How does Access Protection secure Attivo Endpoint Application?

When you enable Access Protection, the following actions are prevented except for authorized user
accounts and users with the access key:
• Attivo Endpoint Application service cannot be stopped.

• Users cannot uninstall Attivo Endpoint Application in an interactive session (that is, using a Command
Prompt or Windows PowerShell).

• Without entering an access key, users cannot install Attivo Endpoint Application from a different client
group (because this will uninstall the current Attivo Endpoint Application).

• The registry keys related to Attivo Endpoint Application cannot be modified or deleted.

• The folder, where Attivo Endpoint Application is installed is write-protected.

• The software driver installed for features like ADSecure-EP, Deflect, and ThreatStrike (Windows Anti-
ransomware) is protected against any kind of modification.

Note: Enabling Access Protection does not prevent the actions you can do from the Analysis | Endpoints
page. For example, upgrade or downgrade of Attivo Endpoint Application version is not prevented.

How to enable Access Protection?

An access key is displayed by default, which you can customize. However, the custom access key must
be at least 15 characters in length. This access key is required to override access protection in
interactive sessions, where you log on to the endpoint. For example, this is required if you want to
uninstall Attivo Endpoint Application from the Command Prompt or Windows PowerShell.

Attivo Cloud User Guide 101

7 Managing endpoint policies
Managing protection policies

Note: If you change the access key, Attivo Endpoint Application is updated automatically at the next update
interval. The last 5 keys are also available for situations wherein an endpoint cannot contact the Attivo Cloud
anymore and you want to uninstall Attivo Endpoint Application.

This access key is encrypted using SHA-256 hash function to store it in the endpoints.
If a user provides an incorrect access key continuously for 5 or more times, then the Attivo Endpoint
Application locks the option to override access protection for the next 5 minutes. Also, an event is raised once
within the Reports Throttling Interval.

Important: As an additional precaution, save the access keys safely in a file.

In the Access Users table, you can define the users who can override access protection. You can enter
the AD users and service accounts, which are used for non-interactive sessions. For example, you can
define the user accounts, which your endpoint management application uses to logon to managed
endpoints. Note that these users are not exempted when they logon interactively. For example, a user
in this list still cannot uninstall Attivo Endpoint Application using Command Prompt.
To add a user or service account, enter the user name and the domain in which the object is defined.
You must have already configured this domain at Configuration | Active Directory | AD
Configuration. When you click +, the Manager queries the domain and fetches the SID.
You can define up to 5 user objects.

Note: You can enable or disable Access Protection at any point in the client group. Attivo Endpoint
Application functions accordingly after the next update.

Following are the sequence of commands related to Access Protection:

• windowssetup.exe /ia /service - This command installs Attivo Endpoint Application with the
corresponding endpoint features like ADSecure-EP and ThreatStrike. Access Protection is
automatically enabled if you have configured it in the corresponding client group.

• windowssetup.exe /ia /service /protectoff - Use this command to pause Access Protection. You
are prompted for the access key.

Note: This command only pauses Access Protection, but Attivo Endpoint Application continues to function
with the rest of the configuration. This command does not re-install Attivo Endpoint Application or the
endpoint features though you need to use /ia and /service parameters to use /protectoff.

Use /protectoff and /protecton (explained next) after you have installed Attivo Endpoint Application.

• windowssetup.exe /ia /service /protecton - Use this command to resume Access Protection. You
are prompted for the access key.

Note: Similarly, this command too does not re-install Attivo Endpoint Application or the endpoint
features, but just resumes Access Protection.

• windowssetup.exe /ua - This command removes Attivo Endpoint Application. You are prompted for
the access key if Access Protection is on but not if you have paused it.

When access protection is enabled and a user or program attempts to modify the status of Attivo
Endpoint Application, events are displayed in the Manager. These events are named are described as
Tampering of Attivo Endpoint detected. As with any event, click the binocular icon for the attack details.

Note: Tampering of Attivo Endpoint event is not raised for exempted users and when Access Protection is
suspended. You must select all three features (Console Apps, ADSecure-EP, and Lures) while making
an Allow Rule to exclude or whitelist any process, hosts, or users to modify the status of Attivo Endpoint
application.

How can you bypass Access Protection?

To disable access protection on all endpoints, disable it in the client group and it will be disabled at the
next update interval. For specific endpoints, the steps are provided below.

102 Attivo Cloud User Guide

 Managing endpoint policies
Managing protection policies 7

Interactive sessions:
1 Copy the access key from the corresponding client group.

2 On the endpoint, open Command Prompt or Windows PowerShell and navigate to the folder, which
contains Windowssetup.exe.

3 Execute Windowssetup.exe /ia /service /protectoff to pause Access Protection. Restrictions due
to access protection are now removed. For example, you can now stop the Attivo Endpoint Application
service from the Task Manager.

Access protection remains disabled until one of the following happens:

• You enable access protection again using the /ia /service /protecton parameter.

• The Attivo Endpoint Application restarts.

• The Attivo Endpoint Application service is restarted.

When you install Attivo Endpoint Application from a different client group, you are prompted to enter
the access key corresponding to the currently installed Attivo Endpoint Application.
For non-interactive sessions, the users defined in Access Users are exempted. If you add a user now,
that user is exempted at the next update interval.

Create or edit a protection policy

A protection policy is a set of rules that you can define for your feature configurations. As part of a
protection policy, you can choose to create a set of rules for different endpoint features like ADSecure-
EP, Deflect, Ransomeware, Threatpath, and Lures.

Steps:
1 Click the Configuration button and select Endpoint policies | Protection Policies.

Existing protection policies are listed.

2 Click Add or Edit based on the action you want to perform.

3 When you create a new protection policy, a default name is specified to it. This name is also used to
name the Attivo Endpoint Application ZIP file, when you generate it. You can choose to edit the name.
Maximum length is 32 characters. The name must not contain spaces. The name can contain
alphanumeric characters, underscores, and hyphens. No other characters are supported.

4 From the Features tab, click Configure Now on any of the features to configure a specific EDN
feature.
• ADSecure-EP - Create a protection policy

• DataCloak - Configuring DataCloak

• Lures - Create a protection policy

• Deflect - Create a protection policy

• ThreatPath - How to deploy ThreatPath?

Attivo Cloud User Guide 103

7 Managing endpoint policies
Managing protection policies

5 Select Global Settings tab, and specify the values in the fields.

Field Description
Secret Key This is a automatically created authentication token. Attivo Cloud uses this key to
authenticate your endpoints and provide the installation status. You cannot edit this field.
Update interval Specify an update interval (in minutes) to automatically update endpoints with changes to
(minutes) any of the endpoint security features. Automatic update works only if you install Attivo
Endpoint Application in service mode.
Post generation of Attivo Endpoint Application, any changes to deception object values are
not automatically pushed. You must click Apply to push the pending changes to endpoints.
Then, the changes are automatically applied on endpoints at the next update interval.
You can enter a value from 3 to 10080. The default is set to 480 minutes.

Note: The recommended minimum value is 60 minutes. Lower value can result in
performance issues in large deployments.

Reporting Interval Frequency at which Attivo Endpoint Application should send the collated AD and Windows
(minutes) Anti-ransomware queries to the Attivo Cloud for reporting purposes. Short frequencies can
place undue load on the Attivo Cloud. Recommended interval is 15 minutes.
Endpoint Reporting This field applies to ADSecure-EP and Windows Anti-ransomware (Hide Files, Folders, and
Shares). The Endpoint Reporting and the Console Apps settings are interdependent. This
is detailed in Interdependency between Endpoint Reporting and Console Apps settings.
• Queries of type console input executed in Windows PowerShell are not reported if it is
a 32-bit PowerShell process running on a 64-bit Windows platform. For example, if you
execute klist on such a setup, the console input entry wherein the process is
powershell.exe is not reported. However, the API call entry for klist.exe is reported.
• On endpoints running Windows 7 and Windows Server 2008, Attivo Endpoint
Application reports commands executed in Windows PowerShell only if the Windows
PowerShell version is 3.0 and command history is enabled in Windows PowerShell.
Each Endpoint Reporting option is detailed in the following rows.
Endpoint Reporting: In this mode, Attivo Endpoint Application reports the following:
Conservative • API calls
• LDAP queries (including queries from tools like BloodHound)
• Following commands executed from cmd.exe, powershell.exe/pwsh.exe, and Mimikatz
• AD queries like net commands
• AD queries from PowerShell
• Local drive and SMB share enumeration queries from cmd.exe and powershell.exe/
pwsh.exe
• Queries executed from Mimikatz,
This option reports only the queries, which may be highly suspicious when executed by an
untrusted process, user, or computer.
Examples: net commands, API calls to the AD, and LDAP queries. Therefore, in the
Conservative mode, Attivo Endpoint Application reports the least number of queries.
Endpoint Reporting: In addition to what is reported for Conservative, Attivo Endpoint Application reports
Moderate PowerShell cmdlets, commands, and tools, regardless of whether these queries are related
to AD or file/folder/share enumeration.
In the moderate mode, Attivo Endpoint Application reports the suspicious commands as
well as additional commands like msinfo32, which may be used in preparation of an
attack.
Endpoint Reporting: In addition to what is reported for Moderate, Attivo Endpoint Application reports the
Aggressive following:
• All commands executed by a child process of cmd.exe
• All commands executed in powershell.exe/pwsh.exe
• All commands executed in Mimikatz
Therefore, in the Aggressive mode, Attivo Endpoint Application reports the maximum
number of queries.
Server If you enable this option, Attivo Endpoint Application authenticates the server certificate
Authentication presented by Attivo Cloud. You must disable this option, if there is an authenticated proxy
or SSL termination device between Attivo Endpoint Application and Attivo Cloud.

104 Attivo Cloud User Guide

 Managing endpoint policies
Managing protection policies 7

Field Description
Reports Throttling The time for which Attivo Endpoint Application instances cache an AD or Windows Anti-
Interval (minutes) ransomware query and console commands so that the same query is not reported again
during this time period. This avoids redundant reporting of such queries.
Because Attivo Endpoint Application does not report repeated queries for this time period,
the Attivo Cloud also does not raise events for such queries.

Note: This time period applies to exactly same queries executed on an endpoint but
regardless of the user involved.

The default value is 2880 minutes (2 days). The recommended minimum value is 60
minutes. The maximum allowed is 10080 minutes (7 days). Ideally, the Reporting Interval
must be less than Reports Throttling Interval.
Engagement settings
The settings are applicable only to ADSecure-EP and Windows Anti-ransomware (ThreatStrike).
Console Apps This option is available if you select ADSecure-EP profile in the client group. However, it
applies to ADSecure-EP and Windows Anti-ransomware (ThreatStrike).
Select this option for Attivo Endpoint Application to report commands executed in Windows
Command shell, PowerShell, and Mimikatz. Examples: net commands and klist.
The Endpoint Reporting and the Console Apps settings are interdependent. This is detailed
in Interdependency between Endpoint Reporting and Console Apps settings.
Exceptions Select whether to apply allow rules or intercept rules for ADSecure-EP and DataCloak
features. See the chapter on Exceptions for EDN features for more information.
Access Protection
Enable Enable Access Protection to protect the functional state of Attivo Endpoint Application
service from being altered.

Note: Access Protection is available only if Attivo Endpoint Application runs in service
mode.

See How does Access Protection secure Attivo Endpoint Application?.

Access Key A default key is displayed, which you can change if required. Note that such a key must be
at least 15 characters in length.
Older Keys contains the last 5 access keys saved in this client group. See How to enable
Access Protection?.
Access Users Configure up to 5 users or service accounts who can override access protection. Note that
these users can override only in non-interactive sessions. To override in an interactive
session, users must use the access key.
In an non-interactive session, users not defined here can still override access protection
using the access key.
It is optional to specify the domain name. However, the domain name must be already
defined at Configuration | Endpoints | Active Directory.
If you do not specify the domain name, then the user is considered as a local user on the
endpoint. For more information, see How to enable Access Protection?.
Service/Application Name Customization
For Windows endpoints, you can customize the folder name, service name, service description, and location. The
related fields are described in detail below.
In case of Linux and Mac, you can customize the folder and service names.

Attivo Cloud User Guide 105

7 Managing endpoint policies
Managing protection policies

Field Description
Service Name If you install Attivo Endpoint Application in the service mode, the corresponding service
name on endpoints is EPSecClient. The binary file, which implements the endpoint
features is also named as EPSecClient. You can provide a custom service name in the
Service Name field. Then, this name is used for the binary as well.
If you install with the -ia parameter in non-service mode, then the binary is named as per
the entry in the Service Name field.
Following points apply only to Windows:
If you install Attivo Endpoint Application for all users, then Attivo Endpoint Application
creates one scheduler task on the corresponding endpoints. This scheduler task is named
as per the service name you enter in this field.

Note: The Service Name cannot contain back slash, forward slash, colon, asterisk, angle
brackets, or pipe. The allowed length is from 3 to 32 characters.

Application Name In the security applications, you can whitelist this folder (that is, the folder corresponding
to the name you have specified in the Service Display Name field). This avoids false
alerts by those security applications. The default value is EPSecClient. You can enter a
custom folder name in the Service Display Name field.
Following points apply only to Windows:
In case of Windows, if you run Attivo Endpoint Application with /ia or /service parameter,
by default, the binary file is created at %programdata%\EPSecClient folder.
Instead of %programdata%, you can also install the Attivo Endpoint Application binary file
at a different location on the endpoints. To do so, use the Installation Path field
described below.
Consider that in the client group, you configure tsa_client as the Application Name
and C:\Users\tsa as the Installation Path.
Consider you execute the following example commands:
Example 1: <name of the Attivo Endpoint Application EXE file> /i
Example 2: <name of the Attivo Endpoint Application EXE file> /ia
In example 1, the Attivo Endpoint Application binary file is created for the current user at
C:\Users\tsa\tsa_client.
In example 2, the Attivo Endpoint Application binary file is created for all users at
C:\Users\tsa\tsa_client.
In case of Linux:
• If you run with -i, then the EPSecClient directory is created in the home directory of the
current user. Attivo Endpoint Application is run just once for the current user.
• If your run with -ia, then the EPSecClient directory is created as a subdirectory in etc.
The EPSecClient binary is stored in the EPSecClient directory. This binary is executed
for each user logon.
• If your run with -i or -ia with -service, then the EPSecClient directory is created as a
subdirectory in etc. The EPSecClient binary is stored in the EPSecClient directory.
In case of Mac:
• If you run with -i, then the EPSecClient directory is created in the home directory of the
current user. Attivo Endpoint Application is run just once for the current user.
• If your run with -ia, then the EPSecClient directory is created as a subdirectory in /
Users/Shared. The EPSecClient binary is stored in the EPSecClient directory. This binary
is executed for each user logon.
• If your run with -i or -ia with -service, then the EPSecClient directory is created as a
subdirectory in /Users/Shared. The EPSecClient binary is stored in the EPSecClient
directory.

Note: The Display Name cannot contain back slash, forward slash, colon, asterisk, angle
brackets, or pipe. The allowed length is from 3 to 32 characters.

106 Attivo Cloud User Guide

 Managing endpoint policies
Managing protection policies 7

Field Description
Service Description This field applies only to Windows endpoints.
The default service description is Endpoint Security Client, which you can change if
required.
Installation Path This field applies only to Windows endpoints.
By default, this field will be displayed as empty and you can either leave it empty or specify
the folder path as per your requirement.
• If you leave this field as empty and if you run Attivo Endpoint Application with
/ia and or /service parameters, by default, the binary file is created at
%programdata% folder.

• If you specify a different path and if you run Attivo Endpoint Application with
/ia and or /service parameters, the binary file is created at the folder path
specified in this field.

Note: If you are deploying for all users i.e., for /ia parameter, it is recommended
to use %programfiles% or any other secure folder path (where non-admin users
do not have full write permissions) as the installation path.

• If you choose to either specify a path or leave this field empty and install the
Attivo Endpoint Application with only /i parameter then Attivo installs only the
breadcrumbs on the endpoint and exits the installation without leaving any
installation files anywhere. Also, there would be no process running from
Attivo on the endpoint after the breadcrumbs are installed.

• Installation path field is not applicable in case of dissolvable mode (/i only)
installation. In this mode, endpoint installer installs only the breadcrumbs and
there would be no process running on the endpoint and no installation files
will be created on the endpoint.

Note: In dissolvable mode, if ThreatStrike profile has LSASS application

breadcrumbs configured or breadcrumbs Refresh option is selected then Attivo
endpoint agent will run on the endpoint to refresh the LSASS breadcrumbs or to
refresh other breadcrumbs at regular intervals respectively.

Attivo Endpoint Application is installed on the endpoints at the location specified here. You
must use the same location for uninstallation.
The folder where you want to install Attivo Endpoint Application must already exist on the
endpoint and also whitelisted in the endpoint security applications.
Also review the information for /p under Common Attivo Endpoint Application parameters.
For Linux and Mac endpoints, Attivo Endpoint Application is installed at the default location.

For information about Save, Apply Changes, and Download buttons, see Generate Attivo Endpoint
Application.

Interdependency between Endpoint Reporting and Console Apps settings

The following table explains the ADSecure-EP and DataCloak functionality for the all possible
combinations of Endpoint Reporting and Console Apps options.

Attivo Cloud User Guide 107

7 Managing endpoint policies
Managing protection policies

Endpoint Reporting Console Apps Microsoft AMSI set Functionality of Attivo Endpoint
set to... to... Application
Conservative, Disabled Not applicable Reports only API calls and LDAP
Moderate, or queries.
Aggressive
Conservative Enabled Disabled Reports AD queries from
powershell.exe/pwsh.exe, cmd.exe,
and Mimikatz.
Examples: net commands, API calls to
AD, and LDAP queries. These are highly
suspicious when reported from
untrusted processes, users, or
computers.
Conservative Enabled Console Same as above. But Attivo Endpoint
Application scans the AMSI buffer for
these commands. Commands in scripts
are not considered.
Conservative Enabled Console and Script Same as above. But in this case
commands in PowerShell scripts are
also considered.
Moderate Enabled Disabled Reports:
• API calls
• LDAP queries (including from tools
like BloodHound)
• Following commands executed from
cmd.exe, powershell.exe/pwsh.exe,
and Mimikatz
• AD queries like net commands
• AD queries from PowerShell
• Local drive and SMB share
enumeration queries from
cmd.exe and powershell.exe/
pwsh.exe
• Queries executed in Mimikatz
Additionally, Attivo Endpoint
Application reports PowerShell cmdlets,
commands, and tools, even if they are
not AD-related queries.

In addition to the suspicious commands

reported in case of Conservative, in
this mode Attivo Endpoint Application
reports some more additional
commands. For example, commands
like msinfo32, which may be used for
recon purposes.
Moderate Enabled Console Same as above. But Attivo Endpoint
Application scans the AMSI buffer for
these commands. Commands in scripts
are not considered.
Moderate Enabled Console and Script Same as above. But in this case
commands in PowerShell scripts are
also considered.
Aggressive Enabled Disabled Reports:
• All commands executed by a child
process of cmd.exe
• All commands executed in
powershell.exe/pwsh.exe
• All commands executed in Mimikatz

108 Attivo Cloud User Guide

 Managing endpoint policies
Managing protection policies 7

Endpoint Reporting Console Apps Microsoft AMSI set Functionality of Attivo Endpoint
set to... to... Application
Aggressive Enabled Console Same as above. But Attivo Endpoint
Application scans the AMSI buffer for
these commands. Commands in scripts
are not considered.
Aggressive Enabled Console and Script Same as above. But in this case
commands in PowerShell scripts are
also considered.

Note: If you have configured ADSecure-EP or DataCloak (Hide Files, Folders, and Shares) and you wish to
uninstall the Attivo Endpoint Application, you must reboot the endpoint to completely clean up the Attivo files.

Generate Attivo Endpoint Application

After you create a protection policy including the EDN features that you wish to deploy and your global
settings, you can generate Attivo Endpoint Application.
Steps:
1 Click the Configuration button and select Endpoint Policies | Protection Policies.

2 To search for a protection policy record, enter a search string in the Quick Find.

Records containing the string in any of the fields are listed.

3 Select a protection policy and click Edit.

4 Make any changes or updates and click Save to save the updates.

5 Click Apply Changes to reinsert the configured Lures tokens, files, and network shares on all the
endpoints corresponding to this protection policy.

6 Click Download to generate Attivo Endpoint Application.

Note: You can generate Attivo Endpoint Application from one protection policy at a time.

This ZIP file is prefixed with Endpoint and named after the Client group name you provided
followed by the date and time of the file generation.

For example: Endpoint-Analysis_Endpoint_Profile-30-Nov-2019-115102

In the above example:

Endpoint - Prefix

Analysis_Endpoint_Profile - Client Group Name

30-Nov-2019-115102 - Date and time of file generation

Attivo Cloud User Guide 109

7 Managing endpoint policies
Managing protection policies

110 Attivo Cloud User Guide

8 ADSecure-EP

After gaining initial entry, one of the prime targets for attackers is the Active Directory. To compromise
the Active Directory, attackers generally start with reconnaissance using certain tools and techniques.
These tools and techniques rely on querying the Active Directory. For example, the attacker might use
the BloodHound tool to identify the endpoints on which domain admins are currently logged on.
ADSecure-EP is part of the Endpoint Detection net module in Attivo Cloud. Like the other endpoint
features such as Lures and ThreatPath, ADSecure-EP is delivered by the Attivo Endpoint Application
installed on the endpoints. When an attacker queries the production Active Directory, ADSecure-EP
modifies the response to hide the real AD objects and show deceptive ones instead.

How ADSecure-EP protects your Active Directory?

ADSecure-EP first identifies AD lookups from untrusted applications, users, and computers. Then,
ADSecure-EP removes the real AD objects in the corresponding response and instead inserts the
deceptive objects. This way, ADSecure-EP not only protects the production AD from attackers but also
lures them to the decoy .
For example, if the attacker executes nltest /dsgetdc:<domain name> command, ADSecure-EP
inserts the decoy instead of the production domain controllers in the response. To validate these
deceptive AD objects, ADSecure-EP can also return the active net sessions and Kerberos service tickets
featuring the decoy .

Attivo Cloud User Guide 111

8 ADSecure-EP
Requirements and considerations

You can configure ADSecure-EP to protect all the domains and their subdomains in one or more forests.
When you configure ADSecure-EP, the Attivo Cloud queries the production domains you configured, and
then populates the AD objects in the ADSecure-EP user interface. You can configure ADSecure-EP to
hide these production AD objects as well as add decoy objects in the response from the AD.

Table 8-1 AD objects that you can protect using ADSecure-EP

Object type Objects
Users • Privileged administrators (that is, users who are members of the following built-in
groups):
• Account operators
• Administrators
• Domain admins
• Enterprise admins
• Group policy creator owners
• Schema admins
• Delegated administrators / Shadow administrators (ACLs)
• Normal users (with lesser privileges)
Computers • Domain controllers

• Computers
Service accounts • Managed service accounts

• Unmanaged service accounts (that is, user objects with service principal
names - SPNs)

Note: You can use ADSecure-EP to protect objects in custom groups as well as all users and computers at an OU
level.

Note: ADSecure-EP acts on AD queries based just on the source of the query. ADSecure-EP does not validate
if a query itself is suspicious. For example, ADSecure-EP acts on all AD queries from untrusted applications.
Therefore, if a trusted application performs a suspicious AD query, ADSecure-EP does not act on that.

Requirements and considerations

Review this section before you deploy ADSecure-EP.

Requirements
• Attivo Endpoint Application must be installed in service mode for the same or all users.

• DNS records on the production DNS server are required for all decoy IP addresses used in ADSecure-
EP.

• Decoy IP addresses. The FQDNs will be inserted as the domain controllers and computers in the AD
response.

• Decoy IP addresses. These are needed to show the deceptive active sessions.

Considerations
• ADSecure-EP is a powerful module, which acts on unauthorized AD queries and API calls to protect
your AD infrastructure. Before you deploy ADSecure-EP in production, try ADSecure-EP thoroughly
in a test environment. The endpoints in the test environment must mirror the production endpoints
regarding the operating systems, installed applications, and other software.

112 Attivo Cloud User Guide

 ADSecure-EP
Requirements and considerations 8

A detailed testing is recommended to:

• Make sure ADSecure-EP does not cause any impact on the endpoint’s applications.

• Identify all the legitimate AD queries and API calls from various applications and users. This can
help you modify ADSecure-EP configuration and exempt legitimate applications accordingly.

• ADSecure-EP provides Alert Only mode for you to evaluate how your ADSecure-EP configuration
impacts legitimate AD queries. That is, you can select the production AD objects to be hidden and the
deceptive AD objects to be inserted in AD responses. You can also define the exception list.

When in Alert Only mode, ADSecure-EP functions as per your configuration, and provides the AD
query details in the reports and events. However, ADSecure-EP does not modify the AD response
in any way in this mode. Therefore, you can review the ADSecure-EP report and events to assess if
you need to modify your ADSecure-EP configuration further.

When you first deploy ADSecure-EP on production endpoints, deploy ADSecure-EP in Alert Only
mode, analyze the ADSecure-EP report, and tweak the ADSecure-EP configuration as required.
When you are ready to fully implement ADSecure-EP, you can select Alert and Engage mode.

Important: The only difference in Alert Only mode is that ADSecure-EP does not alter the responses
from the AD. Therefore, you still need to try ADSecure-EP in a test environment to analyze the impact on
the applications on your production endpoints.

• Before you apply Windows updates on production endpoints with ADSecure-EP, recommend that you
qualify the Windows updates with ADSecure-EP to make sure the endpoints continue to function
normally even with the newly installed Windows updates.

• ADSecure-EP is supported only on the following operating systems:

• Windows 7

• Windows 8.1

• Windows 10

• Windows 11

• Windows Server 2008

• Windows Server 2012

• Windows Server 2016

• Windows Server 2019

• Windows Server 2022

• Recommend that you do not install ADSecure-EP on servers such as Active Directory Domain
Controller and Exchange Server.

• To deploy ADSecure-EP, you must install Attivo Endpoint Application in service mode. Unlike other
endpoint features such as ThreatStrike, ADSecure-EP is a system-wide deployment. That is, even if
you install Attivo Endpoint Application with the /i (current user) parameter, ADSecure-EP is
implemented for all users of that endpoint, regardless of whether they are domain-joined or not.

• Make a definitive list of all processes, services, users, and computers that you want ADSecure-EP to
exempt - allow rules. Alternatively, make a list of processes that you want ADSecure-EP to monitor -
intercept rules.

A default set of allow and intercept rules corresponding to processes is included. These default
allow and intercept rules are not viewable. These default lists are available on Attivo Support Portal
for your reference. If required, you can create additional allow and intercept rules in Attivo Cloud
as per your requirement.

Attivo Cloud User Guide 113

8 ADSecure-EP
Requirements and considerations

Note: You cannot modify the default allow or intercept rules.

• Add Attivo Endpoint Application to the exception list in all the endpoint security solutions to ensure
the ADSecure-EP-related operations are not blocked.

• ADSecure-EP secures LDAP queries and related API calls. ADSecure-EP can also block communication
to AD Web Services. AD queries through other mechanisms are not supported in the current release.

• In the ADSecure-EP report and events, commands executed in Windows PowerShell are not reported
if it is a 32-bit PowerShell process running on a 64-bit Windows platform.

• On endpoints running Windows 7 and Windows Server 2008, ADSecure-EP reports commands
executed in Windows PowerShell, only if the Windows PowerShell version is 3.0 and command history
is enabled in Windows PowerShell.
• ADSecure-EP functions as configured when AD queries are executed using PowerShell 7.0. However,
ADSecure-EP cannot block the traffic to AD Web services when PowerShell 7.0 is used.

• On an endpoint, if the currently logged on user is exempted (allow rule), then all the AD lookup
performed by this user are also exempted. This applies even if this user performs the AD lookup with
the privileges of a user, who is not exempted (using the Run as command for example).

Consider the contrary, wherein the currently logged on user is not exempted, but this user
performs the AD lookup as another user, who is exempted. In this case, the AD lookup is
exempted.

ADSecure-EP report provides both the logged on user as well as the user context from which an AD
query is executed.

• When you modify any settings in ADSecure-EP, Attivo Cloud automatically sends the changes to the
Attivo Endpoint Application instances at the next update interval.

• After you uninstall Attivo Endpoint Application, a reboot of the endpoint is required to delete any
residue Attivo files. For such cases, the Installation Status in the Endpoints page at Analysis |
Endpoints displays as Uninstallation completed reboot needed. Even after you reboot, this status is
unchanged because Attivo Cloud cannot be updated about the reboot post uninstallation. If required,
you can consider deleting the corresponding record in the Endpoints page.

FAQs

Do I need to run any script or make any changes on my production AD for ADSecure-EP to
work?
ADSecure-EP does not require you to make any configuration on the production AD.
What are the advantages of ADSecure-EP?
The advantages of ADSecure-EP are as follows:
• ADSecure-EP hides production objects and instead displays deceptive privileged users, delegated or
shadow admins, and managed service accounts on the fly in the AD responses. These deceptive
objects are not created on the production AD.

• The attributes of the deceptive objects displayed by ADSecure-EP exactly match with those of the
production objects.

• ADSecure-EP provides deceptive active sessions and Kerberos tickets to support the deceptive
objects.

• ADSecure-EP presents decoy domain controllers, which can look authentic to attackers.

• The deceptive AD objects presented by ADSecure-EP are authentic to deceive even penetration-
testing tools such as BloodHound.

114 Attivo Cloud User Guide

 ADSecure-EP
Deploying ADSecure-EP 8

• ADSecure-EP does not require any changes on the production AD. Therefore, you do not need to
involve the AD team when you configure ADSecure-EP.

Do I need to provide administrator privileges of the production AD to configure ADSecure-

EP?
A user name with read access will suffice. If you select the referral option, then recommend a user
name belonging to the root domain. This ensures you can protect objects from the entire forest. If you
define only subdomains in ADSecure-EP, then ADSecure-EP will not be able to protect root domain
objects such as Enterprise Admins and Schema Admins.

Will legitimate AD lookups be affected because of ADSecure-EP?

No. If you select Allow Rule in the exception policies, then create allow rules to exempt all the
legitimate applications, users, and computers which perform AD lookups. If you select Intercept Rule,
ADSecure-EP monitors only the AD lookups from the corresponding applications. Before you deploy in
production, try ADSecure-EP in a test environment. Also, initially in production, deploy ADSecure-EP in
Alert Only mode to check and tweak the configuration as required.

Will ADSecure-EP add to the load of the production AD?

When you define the production AD details, Attivo Cloud queries these Active Directories to fetch the
objects. You can configure the frequency from 1 to 30 days for the subsequent queries to the Active
Directories. The default frequency is set to 7 days. You can also trigger a manual query at any time.
Factor in these to determine the load on your production AD.

Do I need to generate and install Attivo Endpoint Application again to deploy ADSecure-EP?
Not required if Attivo Endpoint Application is already running in service mode. You can select the
ADSecure-EP in an existing protection policy, and click Apply. Then, Attivo Endpoint Application is
updated with ADSecure-EP configuration on the next update.

Deploying ADSecure-EP
To deploy ADSecure-EP, you first create a protection policy. A protection policy is a set of rules that you
can define for your feature configurations. As part of a protection policy, you can choose to create a set
of rules for different endpoint features like ADSecure-EP, Deflect, Ransomeware, Threatpath, and
Lures.
To configure the rules for ADSecure-EP, follow these steps.

Prerequisite tasks for ADSecure-EP

This section details the tasks that you must complete before you create a protection policy for
ADSecure-EP configuration.

Specify the DNS names and decoy IP addresses

Define a list of decoy FQDNs (that is, fake DNS names) and a list of decoy IP addresses in the Attivo
Cloud. Attivo Cloud then randomly maps each decoy IP address to a decoy FQDN, and uses these decoy
IP address - FQDN pairs to deceive adversaries.

Note: The decoy FQDNs must not resolve to any IP address on your network. That is, you must not create
records for these decoy FQDNs on your production DNS.

The decoy IP addresses you enter are not acquired from the DHCP server nor configured on the
endpoints.
Before you begin:

Attivo Cloud User Guide 115

8 ADSecure-EP
Deploying ADSecure-EP

Make a list of decoy FQDNs and a list of decoy IP addresses you want to use. You can enter IP
addresses as well as CIDR notations. If you provide CIDR notations, then the Attivo Cloud automatically
computes the corresponding IP addresses for the given CIDR.
Steps:
1 Select Configuration | Endpoint Policies | DNS Policies.

2 To import the list of FQDNs from a CSV file do the following:

a Click the Export CSV file icon in the DNS Names to Intercept section to download a sample
CSV file.

b In the sample CSV file, enter the decoy FQDNs in each line and save the file.

c In Attivo Cloud, click the Import CSV file icon and import the entries from the CSV file.

The decoy FQDNs from the file are added to the list of existing FQDNs
d To add individual decoy FQDNs, enter it in the text box and click +

e Similarly, enter the decoy IP addresses or import them from a CSV file in the IP Addresses to
Intercept section.

You can enter CIDR notations or IP addresses. Example: 192.0.2.0/24

f Click Save.

Note:
• Attivo Cloud creates random FQDN-IP address pairs. To view these records, click Configuration
Report.

116 Attivo Cloud User Guide

 ADSecure-EP
Deploying ADSecure-EP 8

• If you delete, modify, or add an FQDN or an IP address, only the corresponding records are modified.
The other pairs remain unchanged.

• If there are more FQDNs than the IP addresses, then multiple FQDNs may be mapped to the same IP
address. Attivo Cloud ensures all the defined FQDNs have at least one IP address mapped to them. If
you add more IP addresses subsequently, then mappings are altered such that the new IP addresses
are utilized.

• If there are less FQDNs than the IP addresses, then the number of records matches the number of
FQDNs. For example, if there are 5 FQDNs and 10 decoy IP addresses, then only 5 records of FQDN-
IP address pairs are created.

Important: You must install Attivo Endpoint Application as a persistent service

Currently, you can install Attivo Endpoint Application on Windows and Linux only.

Configure Active Directory server details

Provide the AD details that you want to protect using ADSecure-EP. You must provide the credentials
that have at least read permissions in the corresponding domains
Before you begin:
Make sure you have the following details:
• The Fully Qualified Domain Name (FQDN) of the domain.

• The DNS server IP address, which can resolve the FQDN.

Steps:
1 Click the Configuration and select Active Directory | AD Configuration.

2 To add the details of an AD server, click the Add button.

Table 8-2 AD server details

Field Description
DC FQDN/IP Enter the full computer name or IPv4 address of the Windows AD server.
Example: adserver.acme-corp.com

Note: If you enable SSL option, then you need to provide the Fully Qualified
Domain Name (FQDN) in this field. AD authentication fails if the host name in the
FQDN doesn’t match the Subject Name or the Subject Alternate Name in the SSL
certificate. IP address will work provided it is available in the Subject Alternate
Name.

Username Enter the user name that Attivo Cloud can use to query the AD server. This user name
needs just read access on the AD server.
You can enter the user name in these 3 formats: UPN, NetBIOS, or just the user name.
UPN format: For example, if the configured domain is acme.com, you can enter
jdoe@sales.acme.com as a user name. That is, you can even enter a user from a child
domain.

Note: In the UPN, you can also enter an alternative UPN suffix (domain alias).

NetBIOS format: If the configured domain is sales.acme.com, and the corresponding

NetBIOS for the domain is SALES, you can enter SALES\jdoe. (SALES.ACME.COM\jdoe
is not valid).
Only the user name: For example, if the configured domain is sales.acme.com, you can
enter jdoe.

Tip: Recommend that you configure an unmanaged service account because a normal
user account can be impacted by security policies like password expiry.

Attivo Cloud User Guide 117

8 ADSecure-EP
Deploying ADSecure-EP

Table 8-2 AD server details

Field Description
Password Enter the corresponding password.
Domain name Enter the FQDN of the domain or the sub domain.
Example: acme-corp.com
Encryption Method Select SSL if the traffic between Attivo Cloud and Windows Active Directory should be
encrypted.
LDAP Port Enter the port number Attivo Cloud should use to communicate with the Windows Active
Directory.
Make sure the correct port number is entered. If SSL is enabled, the default port is 636. If
SSL is disabled, the default port is 389.
Referral Select to enable referral chasing to query the sub-domains.
ADAssessor: Select to enable the Threat Detection functionality of ADAssessor.
Enable Threat When you enable Threat Detection for a domain, Attivo Cloud collects the user objects with
Detection the required attribute values for its analysis. This process can take several minutes. The
time taken depends on the number of user objects and the number of domains (if Include
All Domains is selected). The Sync Status column in the Active Directory Configuration
page displays the status - failed, pending, or completed.

Important: The sync is an one-time process. Pending indicates the sync is in progress.
During this time, just the Threat Detection for the corresponding domains is suspended.
There is no other impact on ADAssessor functionality. However, refrain from making any
changes to the AD Server record in the Attivo Cloud UI when Sync Status is in pending
state.

If the Sync Status is in failed state, retry by disabling and then enabling it back again. If
it still fails, check the connection between Attivo Cloud, Attivo CloudLink, and the DC. Also,
make sure you have complied with Additional requirements and considerations for Threat
Detection.
If you disable Threat Detection, the synced user objects in Attivo Cloud is deleted. Then
the Sync Status shows NA. If you enable again, the sync happens again, which can take
several minutes as discussed previously.
Post the sync, when user objects are added or deleted in the AD, similar changes are made
to the copy of the user objects in Attivo Cloud.
For the details of the user objects and the attributes stored in Attivo Cloud, refer to Attivo's
Cloud Security, Data, and Availability Considerations document.
ADAssessor: Attivo Cloud discovers subdomains and displays them in the UI as part of the AD topology.
Include All domains However, the ADAssessor module queries and assesses the subdomains only if you select
this option. Else, it assesses only the domains you configure.
If you select Include All Domains, then select Referral too because ADAssessor
Dashboard requires Referral option to be selected to display certain data in the
ADAssessor Dashboard.
Access Over Trust Select if you want to configure a trusting domain in a different forest. This option is
relevant if you want to assess or protect a trusting domain using the credentials of a user
in the trusted domain.
Consider that summer.com is a domain in Forest B, which trusts spring.com in Forest A. If
you want to configure ADAssessor or ADSecure-EP for summer.com using a credential like
user@spring.com, then select this option.
• Trusting Domain Name: Enter the domain name like summer.com.
• Trusting Domain DC FQDN: Enter the FQDN of a DC of the trusting domain. Do not enter
an IP address. For example: adserver.summer.com

Note: You must create records for each trusting domain. For example, to configure 5
trusting domains, you must create one for each. You must also create one for the trusted
domain, in which you must keep the Access Over Trust disabled.

Save and Test Click to save the entered configuration.

Connection

3 When you click Save and Test Connection, the AD server details will be saved and the AD will listed
in the AD Configuration page.

4 To refresh the AD Data, select the required AD record and click Refresh AD Data.

118 Attivo Cloud User Guide

 ADSecure-EP
Deploying ADSecure-EP 8

5 To modify the details of an AD, select the required AD record and click Edit.

6 To delete an AD, select the required AD record and click Delete.

7 To refresh the AD Configuration page, click the Refresh button.

Create a protection policy

To deploy ADSecure-EP, create a protection policy that has ADSecure-EP enabled. You can also choose
to edit an existing protection policy and include ADSecure-EP in it.
You can:
• select the production objects that are to be protected and the decoy objects that are to be inserted.

• define allow or intercept rules.

ADSecure-EP functions based on whether you have selected allow or intercept rules in the exception
policy. Based your choice, ADSecure-EP determines if an AD lookup needs to be monitored. Therefore,
you must first determine if you want ADSecure-EP to be based on allow rules or intercept rules.

• Allow rules: If you opt for allow rules, then ADSecure-EP monitors all AD lookups from processes,
services, users, and computers that are not in the allow rules. Certain processes query the AD for
legitimate reasons. For example, security agents on the endpoints are generally known to query the
AD. By default, allow rules are already created for such safe processes, which are known to query the
AD. The default allow rules are not displayed in the user interface; contact Attivo Support for the
default entries. Also, by default the Allow Rules option is selected in the protection policy.

If required, you can define services, users, computers, and additional processes to be whitelisted
in ADSecure-EP configuration.

Note: On an endpoint, if the currently logged on user is exempted (allow rule), then all the AD lookup
performed by this user are also exempted. This applies even if this user performs the AD lookup with the
privileges of a user, who is not exempted (using the Run as command for example).

Consider the contrary, wherein the currently logged on user is not exempted, but this user performs the
AD lookup as another user, who is exempted. In this case, the AD lookup is exempted.

• Intercept rules: If you opt for blacklist, then ADSecure-EP monitors AD lookups only from the
processes in the blacklist. For example, there are tools such as Bloodhound used by attackers for
recon attacks on the Active Directory. A default blacklist that includes many such processes is
provided. The default entries in the blacklist are not displayed in the user interface; contact Attivo
Support for the default blacklist.

Note: You cannot modify the default allow or intercept rules.

Steps:
1 Go to Configuration | Endpoint Policies | Protection Policies.

Existing protection policies are listed.

2 Click Add to create a new protection policy. You can also choose to edit an existing protection policy
and add ADSecure-EP configuration to it.

3 Click Configure Now on the ADSecure-EP pane.

4 Select Alert Only mode to evaluate your ADSecure-EP configuration.

Attivo Cloud User Guide 119

8 ADSecure-EP
Deploying ADSecure-EP

In Alert Only mode, the ADSecure-EP functions as per your configuration and provides the AD
query details in the reports and events. However, ADSecure-EP does not modify the AD response
in any way.

Tip: To begin with, deploy ADSecure-EP in Alert Only mode, analyze the ADSecure-EP report, and modify
the exceptions list, if required.

When you are prepared to deploy ADSecure-EP in production mode, select Alert and Engage
mode. ADSecure-EP then begins to modify the applicable AD responses automatically after the
next update interval. You do not need to click Apply in the corresponding protection policy for the
changes to take effect.

By default, Alert Only is the default selection.

5 Select AD Web Services Block, if you want ADSecure-EP to block and report any communication to
Active Directory Web Services. For example, if an unauthorized user executes a script containing
RSAT PowerShell cmdlets, ADSecure-EP blocks these cmdlets from being successfully executed.
ADSecure-EP then provides the API call details in the report. The corresponding event raised is AD
Web Services usage blocked. In the Alert Only mode, the event raised is AD Web Services usage
detected.

If you do not select this option, ADSecure-EP reports the Windows PowerShell cmdlets that are
executed on endpoints but does not block them. In this case, the corresponding event raised is
Active Directory Powershell cmdlets usage detected. If the output of a cmdlet contains DC details,
then ADSecure-EP replaces the host name and IP address of the production domain controllers
with the deceptive ones in the PowerShell console. In this case, the event raised is Domain
Controller Discovery Detected.

Privileged Administrators, Service Accounts, Local Administrators, Domain Controllers,

and Delegated Admins (ACLs)

The AD objects are listed for each production domain you specified at Configuration | Active
Directory | AD Configuration.

In the first column, select the production object for which deceptive objects are to be inserted in the
AD response. That is, select the privileged administrator, service account, Local Administrator and
domain controller.

Tip: You can select multiple objects in a row. However, for ease of use and clarity, recommend that you
use one row per production object.

6 Select a privileged administrators group to select all the current users of that group across all
domains. For example, select the domain admins group to select all the current domain admins across
all the domains. Subsequent users added to the domain admins group are not selected by default.

All Privileged Users whose primary group is not Domain Users (that is, primaryGroupID is not
513), are not included when you select any privileged group (like Domain Admins) under
Privileged Administrators. Some tools like NetIQ DRA (Directory Resource Administrator) can
change the primaryGroupID of objects.

a Select the corresponding deceptive objects to insert in the AD response. Select the credentials
object that contains the required deceptive users.

• The deceptive object is added only if the selected production object is present in the AD
response. Consider jdoe is a production user belonging to both Domain Admins and Enterprise
Admins of acme.com. You have configured the deceptive users to add for jdoe/domain admins
but not for jdoe/enterprise admins. Then, Attivo Endpoint Application inserts the deceptive users
if the query results contain jdoe/domain admins but not for jdoe/enterprise admins.

• For the deceptive AD objects, the Attivo Cloud takes only the name from the credentials object.
All the attributes are of that of the selected production objects.

120 Attivo Cloud User Guide

 ADSecure-EP
Deploying ADSecure-EP 8

b Select the DNS server names.

ADSecure-EP then uses these decoy FQDNs to add the deceptive entries in the AD response.
ADSecure-EP also uses these FQDNs in the deceptive active sessions and Kerberos tickets.

7 Under Service Accounts, select Managed and / or Unmanaged Service Accounts.

• User accounts listed here are accounts in Active Directory which have an SPN registered against
them. Managed Service Accounts are gMSA accounts where password is managed by Active
Directory.

• Unmanaged Service Accounts are accounts which are managed by Administrators with an SPN
registered on the account. For the Service Accounts selected from the list, corresponding decoy
deceptive credential(s) are added in the response when queried from endpoints.

• If you select Managed under Service Accounts, then all the current MSAs across all the domains
are selected. Under domain controllers, select the domain to select all the current domain
controllers. However, the records created subsequently in the AD are not selected by default.

8 In Local Administrators field, type any Local administrator’s name that replace the actual
administrators.

• This option protects members of local administrators group. You can enter a name for a decoy local
administrator. You can enter only one decoy local administrator per ADSecure-EP profile. Then
Attivo Endpoint Application creates this decoy account on the endpoint in disabled state. When
adversaries enumerate the local administrators group, this decoy account is also displayed. Though
this decoy account is in disabled state, ADSecure-EP modifies the query response to show that it
is active. You can select the Hide option to hide the local administrator, if required.

• By creating the decoy local administrator in disabled state and with random passwords, Attivo
Endpoint Application ensures the attacker cannot use the decoy local administrator to gain any kind
of access on an endpoint or use it to move laterally to other endpoints. When you uninstall Attivo
Endpoint Application, this decoy local administrator is also deleted on the endpoints.

• When attackers enumerate local administrators or local groups, the Attivo Cloud raises the
following events accordingly:

• Local administrator user enumeration detected

• Local group enumeration detected

9 In the Domain Controllers section, select one or more server objects that are to be inserted in the
AD response instead of the production domain controllers.

a Select the required production objects.

b Select Hide against any of these options to hide the corresponding objects in the AD response.

10 In Delegated Admins (ACLs) field, you can select the Delegated Admins (ACLs) but they are not
inserted in the AD response.

11 ADAssessor Configuration is the count of normal (non-privileged) user objects that you configured
to hide using the Improve Protection wizard of ADAssessor. You can hide up to 2000 of such objects
per endpoint policy.

• Click View Configuration Report to view all the AD objects protected by ADSecure-EP as per
this protection policy. This report also details the deceptive AD objects inserted in the AD response
through this protection policy.
• Click Run ADAssessor Improve Protection Wizard to view the AD objects affected by
exposures. Then, you can include those objects in the required endpoint policies for ADSecure-EP
to hide them in the untrusted AD queries. Note that the Improve Protection wizard invokes with no
filters. For more details, see Improve protection through ADSecure-EP.

12 After selecting the required production and decoy objects, click Save.

Attivo Cloud User Guide 121

8 ADSecure-EP
Deploying ADSecure-EP

The ADSecure-EP configuration data details the AD objects that Attivo Endpoint Application hides and
the deceptive objects that it will add in the AD response. Therefore, use this report to understand and,
if needed, troubleshoot your ADSecure-EP implementation.
The details are provided for each production object that are involved. For example, if you select the
users in the Engineering OU, then the ADSecure-EP configuration data contains the details for each
user belonging to Engineering OU.
When you modify any settings in ADSecure-EP, Attivo Cloud automatically sends the changes to the
Attivo Endpoint Application instances at the next update interval.

How does ADSecure-EP protect domain controller details in console output?

You can configure ADSecure-EP to protect the production DC details when adversaries attempt
commands such as the following in Windows Command Prompt or PowerShell:
• echo %logonserver%

• set

• nslookup

• systeminfo

• gpresult /r

ADSecure-EP replaces the production DC host name and IP address with deceptive ones in the console.
ADSecure-EP also raises the following event: Domain Controller Discovery Detected.

View ADSecure-EP configuration data

The configuration data of an ADSecure-EP details the AD objects that Attivo Endpoint Application hides
and the deceptive objects that it will add in the AD response. Therefore, use this report to understand
and, if needed, troubleshoot your ADSecure-EP implementation.
The details are provided for each production object that are involved.

Table 8-3 ADSecure-EP configuration data

Field Description
Domain The production domain to which the object belongs.
Production object The sAMAccountName of the production object.
Type The Attivo Cloud categorizes the object into one of these categories:
• Privileged administrator: The user you selected from the Privileged Administrators list
while configuring ADSecure-EP.
• Service account: The service account (managed or unmanaged) you selected from the
Service Accounts list while configuring ADSecure-EP.
• Local Administrators: The user name of the local admin you entered while configuring
ADSecure-EP.
• Domain controllers: The object is a domain controller that you selected from the
Domain Controller list while configuring ADSecure-EP.
• User: The object is a user that you selected in the Shadow Admin/Computer
Objects section while configuring ADSecure-EP.
• Computer: The object is a computer that you selected in the Shadow Admin/
Computer Objects section in the Hide or Add tab.
• Delegated Admins (ACLs): This is a shadow admin (user object or computer object) that
you selected in the Delegated Admins (ACLs) field while configuring ADSecure-EP.

122 Attivo Cloud User Guide

 ADSecure-EP
Viewing the ADSecure-EP related events 8

Table 8-3 ADSecure-EP configuration data

Field Description
Hide Group A dash (-) means that you have not selected this production object while configuring
ADSecure-EP.
If an AD group name is displayed, then ADSecure-EP hides this production object only if
the malicious AD query is specific to this group. For example, the object is jdoe and the
group displayed in Hide Group is Enterprise Admins. If the attacker queries for enterprise
admins, then Attivo Endpoint Application hides jdoe in the response. If the attacker queries
for domain admins, wherein jdoe is also a part of, Attivo Endpoint Application does not hide
jdoe.
A green check indicates that the object is to be hidden regardless of the group the object
belongs to.
If you select the production object in multiple groups, then all those groups are listed
separately.
Add Group Similar to the Hide Group but the deceptive objects that Attivo Endpoint Application inserts
in the AD response are listed. The deceptive objects are displayed within parenthesis. If
you select the production object in multiple groups, then those groups are listed
separately.
Deceptive content The list of deceptive user, service account, or computer that Attivo Endpoint Application
will insert in the AD response for the corresponding production object.

Click Export button to export the ADSecure-EP configuration data to a csv file.

Viewing the ADSecure-EP related events

Attivo cloud generates events for AD queries, which are known to be potentially malicious. These AD
queries for which events are raised are primarily sourced from MITRE ATT&CK knowledge base.
Raising events for malicious AD queries enables you to take actions on the compromised endpoints. For
example, security analysts at your SOC can quarantine the compromised endpoints through an
integrated firewall. You can also forward the event details using syslog, configure email notification, use
Playbook to automate response for malicious AD queries, and so on.

Note: In some cases, Attivo Cloud can raise the event even if the AD response has not been modified by the
ADSecure-EP module.

The severity of the ADSecure-EP events is determined dynamically. That is, the same attack can have a
different severity assigned based on factors such as context and the probable intention of the AD query.
For example, AD queries executed in applications from unknown publishers have a higher severity
assigned. Similarly, AD queries executed with escalated privileges too have a higher severity assigned.

Attivo Cloud User Guide 123

8 ADSecure-EP
Viewing the ADSecure-EP related events

124 Attivo Cloud User Guide

9 Configuring Anti-Ransomware

The Anti-Ransomware is part of the EDN suite, which protects and detects ransomware activity at
various levels. As an EDN feature, the Attivo Endpoint Application implements Anti-Ransomware as per
your configuration. The Anti-Ransomware feature is primarily for Windows endpoints.
Figure 9-1 Anti-Ransomware protection inside an infected endpoint

Attivo Cloud’s Anti-Ransomware feature consists of 3 modules, with which you can create both
proactive and reactive strategies against ransomware:
• DataCloak: This can be part of your proactive strategy. DataCloak protects files and folders stored
locally as well as on network drives, removable media, and cloud. Also,. You can configure DataCloak
to prevent ransomware from reading, writing, or even enumerating files and folders.

Attivo Cloud User Guide 125

9 Configuring Anti-Ransomware
High-level steps to configure Anti-Ransomware

• Behavior Detection: This can be part of your reactive strategy. You can detect any ongoing
ransomware activity in real time. You can configure DataCloak to protect the files and folders you
specify. However, on an infected endpoint, the ransomware may still attempt to encrypt unprotected
files or try to tamper with critical services or registry. The Behavior Detection feature monitors for
such Indicators of Compromise (IOC) in real time.

A common case for Behavior Detection is when a ransomware injects into well-known (and often
exempted/whitelisted) processes. Another example can be when you have not protected certain
files or folders through DataCloak. In such scenarios, Behavior Detection acts like a second line of
defense against ransomware.

You can configure a response action in the Behavior Detection module to just alert, stop the I/O
operations of the malicious process, or even terminate the process.

• File Backup: As a precaution, configure Windows file backup. Also, prevent ransomware from
tampering with Windows backup configuration. Behavior Detection detects ransomware activity in
real time. By the time you take remedial steps, a few files might be encrypted already. You can
configure backing up of the required volumes and make them resilient to ransomware.

Note: All the 3 modules of Anti-Ransomware function independent of each other. Therefore, you can
configure all of them or just the ones you require. Configuring all of them can provide a complete anti-
ransomware campaign.

High-level steps to configure Anti-Ransomware

1 Configure the Anti-Ransomware profile based on the modules you want to implement. Recall that you
can implement any or all the modules.

• To configure Anti-Ransomware, go to Configuration | Endpoint Policies | Protection Policy, add or

edit a protection policy. Then, click Configure now in Anti-Ransomware pane.

• If you configure Add Deceptive Network Shares in DataCloak, click View for the list of
deceptive tokens crafted by Attivo Endpoint Application.

• To configure DataCloak, see Configuring DataCloak.

• To configure Behavior Detection, see Configuring Behavior Detection.

• To configure File Backup, see Configuring File Backup.

2 Generate Attivo Endpoint Application and install it on Windows endpoints for all users in service mode
(/service /ia runtime parameters).

3 View the blocked ransomware activities and related details in Endpoints Activity (Analysis |
Endpoints | Activity - Details) page.

• Behavior Detection: If a process crosses the ransomware threshold score, then the Attivo Cloud
raises the Ransomware Behavior Detection event under Analysis | Events.

• File Backup: If you configure Protect Backup Archive feature, and if an attacker attempts to
tamper with Windows Volume Shadow Copy, then these activities are reported in the Endpoints
Activity page. The Query Type and Feature name for these records is Protect Backup. Enter Protect
Backup as the search string in the Summary section and then click on the Query Type or Feature
name to view the details of the commands executed.

126 Attivo Cloud User Guide

 Configuring Anti-Ransomware
DataCloak 9

A snippet from the Summary

section

A snippet from the

Details section

There are no events for Protect Backup.

DataCloak
The DataCloak is a module of Anti-Ransomware, which enables you to protect your assets against
ransomware in two ways:
• Hiding the files, folders, and mapped network drives.

Hiding files, folders, and mapped network drives

A malware can exfiltrate or encrypt data only when the files are accessible. Hiding the required files,
folders, and network drives from untrusted processes can enable you to preempt ransomware attacks.
For example, when an untrusted process attempts to enumerate files, folders, or mapped network
drives, Attivo Endpoint Application hides them in the query result.

Note: An untrusted process means a process not trusted based on Exceptions. That is, the process, user, or
host is not specified in the Allow rules or the process is specified in the Intercept rules.

Attivo Endpoint Application hides the configured files, folders, and mapped network drives only if the query is
executed locally. If the query is executed remotely on a shared folder, then they are not hidden in the result.

In a protection policy, you can define the files, folders, and mapped network drives to be hidden from
untrusted processes. You can hide the files, folders, and mapped network drives from untrusted
applications with an user interface (UI) as well.
The DataCloak feature provides flexible options. You can protect any of the following in any
combination:
• Hide a folder itself.

• All files and child folders in a folder but not the folder.

• Specific files and child folders.

• Protect cloud-storage primary folder on endpoints. The currently supported cloud storages are
OneDrive, Box, and DropBox.

• All removable media.

• Files and folders in a removable media.

Attivo Cloud User Guide 127

9 Configuring Anti-Ransomware
DataCloak

• Mapped network drives.

Requirements and considerations

Requirements
• Attivo Endpoint Application must be installed in service mode for the same or all users.

Considerations
• To avoid hiding access to files and folders for legitimate processes, try your configuration thoroughly
in a test environment. The endpoints in the test environment must mirror the production endpoints
regarding the operating systems, installed applications, and other software.

A detailed testing is recommended to:

• Make sure there is no impact to the functioning of legitimate applications.

• Identify the legitimate queries so that the corresponding processes, users, and computers can be
added to the whitelist.

• The Mode option enables you to evaluate your configuration, such that legitimate enumeration
queries are not impacted. When you are ready to deploy in the production environment, you can first
deploy in the Alert mode and then progress to Alert & Engage mode. The Alert mode enables you
to safely evaluate your configuration, including the exception list (whitelist or blacklist) in your
production environment.

In the Alert mode, Attivo Endpoint Application reports all activities of untrusted processes on files,
folders, and mapped network drives, which you configured to protect in the response. Then, based
on this information, the Attivo Cloud raises events with the details. However, in the Alert mode,
Attivo Endpoint Application does not hide the files, folders, and mapped network drives. Therefore,
you can review the events to assess if you need to tweak the configuration including the whitelist
or blacklist.

Consider that an untrusted process changes the name of a file, which you configured to hide. Then,
the process enumerates the folder. The process is able to change the name because the Attivo
Endpoint Application does not hide the file in Alert mode. However, the event Local Drive
Enumeration Detected is raised. If you click the Details View of this event,, then you can see the
queries - File and Directory Access, to change the name of the file, and File and Directory Discovery
for folder enumeration.

128 Attivo Cloud User Guide

 Configuring Anti-Ransomware
DataCloak 9

When you first deploy the Protect Files and Folders feature on production endpoints, deploy it in
Alert Only mode, analyze the events, and tweak the configuration as required. When you are
ready to fully implement Protect Files and Folders feature, you can select Alert and Protect
mode.

Important: The only difference in Alert mode is that Attivo Endpoint Application does not alter the
responses. You still need to evaluate how the feature impacts the functionality of applications. Therefore,
note that the Alert mode does not remove the requirement of first evaluating in a test environment.

• Before you apply Windows updates on production endpoints with the Protect Files and Folders
feature, recommend that you qualify the Windows updates to make sure the endpoints continue to
function normally even with the newly installed Windows updates.

• The Protect Files and Folders feature is supported only on the following operating systems:

• Windows 7

• Windows 8.1

• Windows 10
• Windows 11

• Windows Server 2008

• Windows Server 2012

• Windows Server 2016

• Windows Server 2019

• Windows Server 2022

• Recommend that you do not install the Protect Files and Folders feature on servers such as Active
Directory Domain Controller and Exchange Server.

• Similar to ADSecure-EP, the Protect Files and Folders feature is a system-wide deployment. That
is, even if you install Attivo Endpoint Application with the /i (current user) parameter, the feature is
implemented for all users of that endpoint, regardless of whether they are domain-joined or not.
• Notes regarding exceptions (allow rules and intercept rules):

• Make a definitive list of all processes, services, users, and computers that you want to exempt -
allow rules. Alternatively, make a list of processes that you want to impact - intercept rules.

As per your preference, configure the allow rules or intercept rules at Configuration |
Endpoint Policies | Exception Policies. A default list of allow rules and intercept rules are
included. These default allow rules and intercept rules are not viewable. These default lists are
available on Attivo Support Portal for your reference. If required, you can create additional allow
rules or intercept rules as per your requirement.

Note: You cannot modify the default allow rules or intercept rules.

The Exceptions module has flexible options for you to define the context for a process you want
to exempt. For example, you can create an allow rule for Windows PowerShell just for privileged
users, and when launched from a specific location in the endpoint. Refer to the Exceptions
section and define the exceptions list accordingly.

• By default, the files, folders, and mapped network drives are protected in the results only when
the query is executed programmatically or if executed in a command line interface. These are not
hidden in the UI of untrusted applications. If required, you can configure to hide them in untrusted,
UI-based applications as well.

Attivo Cloud User Guide 129

9 Configuring Anti-Ransomware
DataCloak

• Popular UI-based applications such as the Microsoft 365 applications, Adobe’s products, and many
other popular yet free software like FileZilla are included in the default allow rules.

• Protection Level: DataCloak provides these three levels of protection:

• Write: If you specify a folder to be protected, then all the contents of that folder (files and sub-
folders) are write-protected. That is, an adversary can view the contents of the folder, view the
contents of the files and sub-folders, but cannot modify these files or sub-folders in any way
including their properties and attributes. However, the folder that you specified itself is not
protected (only its contents are protected). If you specify files to be protected, then similarly an
adversary can view the content but cannot modify it in any way.

• Read and Write: In addition to write-protect, in this mode, adversaries cannot view the contents
of the files and folders. If you specify a folder to be protected, then an adversary can enumerate
the contents of that folder but cannot view the contents of the files and sub-folders. That is,
traversing the protected folder is not possible. If you specify files, then the adversary cannot read
the contents of the files.

• Hide: In this mode, the contents of the specified folder are hidden. Similarly, if you specify files,
then the files are hidden. That is, enumeration itself is blocked.

• Add Attivo Endpoint Application to the exception list in all the endpoint security solutions to ensure
the operations related to Protect Files and Folders are not blocked.

• Queries executed in Windows PowerShell are not reported if it is a 32-bit PowerShell process running
on a 64-bit Windows platform.

• On endpoints running Windows 7 and Windows Server 2008, queries executed in Windows PowerShell
are reported, only if the Windows PowerShell version is 3.0 and command history is enabled in
Windows PowerShell.

• On an endpoint, if the currently logged on user is in the allow rules then all the file, folder, and mapped
drives enumeration performed by this user is allowed. This applies even if this user performs these
queries with the privileges of a non-exempted user (using the Run as command for example).

Consider the contrary, wherein the currently logged on user is not exempted, but this user
performs the enumeration as another user, who is exempted. In this case, the query is allowed.

• If you have configured DataCloak (Protect Files, Folders, and Shares) and you wish to uninstall the
Attivo Endpoint Application, you must reboot the endpoint to completely clean up the Attivo files.

Configuring DataCloak
Recall that you configure DataCloak within Anti-Ransomware feature.
This section provides the steps to configure both the following options:
• This feature requires decoy host names or IP addresses. You can also use the production host names
or IP addresses as discussed in an earlier section.

• Hiding the files, folders, and mapped network drives. For this feature, you specify the real files,
folders, and network drives, which you want to hide.
Before you begin:
• To create SMB deceptive shares (lures) and block ransomware attacks on endpoints, make sure you
have completed the following:

• You have created the required decoy server objects.

• You have created the credentials objects (that is, user objects).

• For hiding the files, folders, and mapped network drives.

130 Attivo Cloud User Guide

 Configuring Anti-Ransomware
DataCloak 9

• You have the list of files, folders, and mapped network drives you want to hide in enumeration
results.

• You have decided the mode - Alert Only or Alert and Protect.

• You have decided the protection level - Write Only, Read and Write, or Hide.

• You have decided whether to hide them in untrusted, UI-based applications as well.
Steps:
1 Go to Configuration | Endpoint Policies | Protection Policies.

Existing Protection policies are listed.

2 Click Add to create a new Protection policy or select a policy and click Edit.

3 Navigate to Anti-Ransomware section and click Configure now.

4 Do the following to create SMB deceptive shares.

a By default, a record is created automatically.You can modify this default record. To create more
records, click + next to Add Deceptive Shares.

Note: The Mode, Protection Level, and All UI Applications fields are not relevant for SMB deceptive
shares.

b From the Server Objects list, select the required decoy server deception objects.

c From the User Objects list, select all or specific credential deception objects.

Also see the description for Use logged-on user credentials.

5 Click the gear icon adjacent to Add Deceptive Shares.

Attivo Cloud User Guide 131

9 Configuring Anti-Ransomware
DataCloak

Table 9-1 Fields in the Content dialog

Field Description
Count Randomize up to: Enter the maximum number of deceptive SMB shares to be inserted
per endpoint. This ensures that not all endpoints have the same number of deceptive SMB
shares installed in them.
Attivo Endpoint Application calculates a random value every time it installs deceptive
tokens for an application. Consider that the randomization value you entered is 5. You are
installing the Attivo Endpoint Application for all users on a Windows endpoint. Currently,
user1 and user2 are logged on that endpoint. Attivo Endpoint Application calculates a
random value between 1 and 5 for SMB lures for user1 and another value between 1 and
5 for SMB lures for user2.
Learned Multiplier: This option maximizes the chances of attackers using stolen SMB
tokens against the real ones. For example, if you select this option with a value of 5, then
Attivo Endpoint Application checks the number of real network drives on the endpoint.
Suppose that there is one real SMB token on an endpoint. Then, Attivo Endpoint Application
attempts to install 5 deceptive SMB tokens on that endpoint.

Note: Attivo Endpoint Application can install up to 20 deceptive SMB shares based on the
value you specify in the Learned Multiplier field.

Refresh Select this option to regularly update the timestamp of the deceptive SMB shares on
Windows endpoints. Attackers might not choose to use old tokens. So, refreshing the
timestamp makes deceptive tokens appear like they are used often by users.

Important: For this feature, you must install Attivo Endpoint Application in service mode.

Connect to Decoys Select this option to connect to the corresponding S3 or File Storage decoys.
Use deception user These two options are related and determine the user names to be used in the deceptive
credentials tokens.
The user names in the deceptive tokens can be sourced from the following:
• Credential deception objects.
Use logged-on user • User names of those who are currently logged on to the endpoint.
credentials • Real user names saved on the endpoints.
You can choose to use both deceptive as well as real user names, use only the real user
names, or use just the deceptive user names.
The real user names are the user names of the logged on users and real user names saved
on endpoints. For the real user names, Attivo Cloud uses passwords from the credential
deception objects.
Use deception user This setting uses only the user names defined in the selected credential deception objects.
credentials: Selected That is, no real user names are used.
Use logged-on user
credentials: Not
selected
The following settings use the credential deception objects as well as real user names to generate the deceptive
user names for the tokens. Choosing one or more credentials deception object is mandatory for the following
settings.
Use deception user The user names for the deceptive tokens are generated from the following sources:
credentials: Selected • Only for Windows endpoints: The real user names of the corresponding service,
which are saved on the endpoint. The real user names (without the domain) are used
as is. Consider that jparker and jim_parker are the user names saved in PuTTY on an
endpoint. Then either jparker or jim_parker is considered for creating the deceptive
Use logged-on user tokens for PuTTY. Preference is given to the user name that belongs to the same domain
credentials: Selected as the endpoint.

Note: The real user names are not considered for the following applications: Mozilla
Format: As-is Firefox, LSASS, Cookies.
In case of Internet Explorer and Google Chrome, the real user names are considered
only if the domain is the same as the domain of the logged on user.

• The currently logged on user without any modification.

• The user names in the credential deception objects.

132 Attivo Cloud User Guide

 Configuring Anti-Ransomware
DataCloak 9

Table 9-1 Fields in the Content dialog

Field Description
Use deception user The user names for the deceptive tokens are generated from the following sources:
credentials: Selected • Only for Windows endpoints: The real user names of the corresponding service,
which are saved on the endpoint. The real user names (without the domain) are used
as is. Consider that jparker and jim_parker are the user names saved in PuTTY on an
endpoint. Then both jparker and jim_parker are considered for creating the deceptive
Use logged-on user tokens for PuTTY. Preference is given to the user names that belong to the same domain
credentials: Selected as the endpoint.

Note: The real user names are not considered for the following applications: Mozilla
Format: Apply Firefox, LSASS, Cookies.
Default In case of Internet Explorer and Google Chrome, the real user names are considered
Transformation only if the domain is the same as the domain of the logged on user.

• The user names in the credential deception objects as is.

• Currently logged on users appended with the following strings:
• administrator (only for Windows endpoints)
• root (only for Linux and Mac)
• sysadmin (only for Linux and Mac)
• admin
• sysoper
• priv
• domain
• lab
• test
• sysdb
• system
• user
• corp
• demo
• guest
For example, if a logged on user name is john, then a deceptive user name could be
john_admin.
Use deception user The user names for the deceptive tokens are generated from the following sources:
credentials: Selected
• Only for Windows endpoints: The real user names of the corresponding service,
which are saved on the endpoint. The real user names (without the domain) are used
as is. Consider that jparker and jim_parker are the user names saved in PuTTY on an
endpoint. Then both jparker and jim_parker are considered for creating the deceptive
Use logged-on user tokens for PuTTY. Preference is given to the user names that belong to the same domain
credentials: Selected as the endpoint.

Note: The real user names are not considered for the following applications: Mozilla
Format: Apply User Firefox, LSASS, Cookies.
Transformation In case of Internet Explorer and Google Chrome, the real user names are considered
only if the domain is the same as the domain of the logged on user.

• The user names in the credential deception objects as is.

• A variation of a currently logged on user.
You must enter format specifiers or fixed static values in the adjacent text box for Attivo
Endpoint Application to create a variation of a user name currently logged on to the
endpoint.
Use %d for Attivo Endpoint Application to insert a random number, %c for a random
lower-case letter, and %C for a random upper-case letter.
As per the format specifier, characters are appended to a currently logged on user
name. For example, user john is the currently logged on user on an endpoint and you
entered %C%d as the format specifier. Then, a deceptive user name could be johnJ4.
If you enter a fixed value like a character, number or a special character, they are
appended to a currently logged on user name. For example, user john is currently
logged on user on an endpoint and you entered P9. Then, deceptive user name would
be johnP9.
The following settings use just the currently logged on user names to generate the deceptive user names.

Attivo Cloud User Guide 133

9 Configuring Anti-Ransomware
DataCloak

Table 9-1 Fields in the Content dialog

Field Description
Use deception user Only the user names who are currently logged on to the endpoint is used without any
credentials: Not modification in the deceptive tokens.
selected For example, if jdoe is the only user currently logged on to the endpoint, and there are 10
Use logged-on user deceptive tokens inserted in the endpoint, then all these tokens have jdoe as the user
credentials: Selected name.

Format: As-is
Use deception user The user names for the deceptive tokens are generated by appending the following strings
credentials: Not to the currently logged on users:
selected
• administrator (only for Windows endpoints)
• root (only for Linux and Mac)
Use logged-on user • sysadmin (only for Linux and Mac)
credentials: Selected
• admin
• sysoper
Format: Apply • priv
Default
Transformation • domain
• lab
• test
• sysdb
• system
• user
• corp
• demo
• guest
For example, if a logged on user name is john, then a deceptive user name could be
john_admin.
Use deception user The user names for the deceptive tokens are a variation of a currently logged on user.
credentials: Not
You must enter format specifiers or fixed static values in the adjacent text box for Attivo
selected
Endpoint Application to create a variation of a user name currently logged on to the
endpoint.
Use logged-on user Use %d for Attivo Endpoint Application to insert a random number, %c for a random lower-
credentials: Selected case letter, and %C for a random upper-case letter.
As per the format specifier, characters are appended to a currently logged on user name.
For example, user john is the currently logged on user on an endpoint and you entered
Format: Apply User
%C%d as the format specifier. Then, a deceptive user name could be johnJ4.
Transformation
If you enter a fixed value like a character, number or a special character, they are
appended to a currently logged on user name. For example, user john is currently logged
on user on an endpoint and you entered P9. Then, deceptive user name would be johnP9.

6 Click OK.

7 Do the following to hide files & folders.

a Based on how you want to deploy the Protect Files & Folders and the Protect Shares features,
select Alert Only or Alert and Protect in the Mode field.

b Based on the level of protection you require, select Write Only, Read and Write, or Hide in the
Protection Level field.

c Similarly, select the whitelist option for UI of untrusted applications.

• This field applies to both Protect Files & Folders and the Protect Network Shares features.

• If you select Whitelist, the files, folders, and shares are not hidden in the UI of even untrusted
applications.

d You can modify the default Protect Files & Folders record. To create more records, click + next
to Protect Files & Folders.

134 Attivo Cloud User Guide

 Configuring Anti-Ransomware
DataCloak 9

Tip: The file names can contain an asterisk at the end as a wild card. Extensions are mandatory when
you define a file name.

e To hide folders and files in a user’s home directory or the default folders, select Folders.

• For example, <HomePath> might translate to C:\Users\jdoe\OneDrive*

• Specify the folder name and file names. If you enter multiple values, separate each with a
comma.

Example: example_folder_name, example_file.pdf, example_wild*.docx

You can use * at the start or at the end as a wild card.

When you specify child folders, all the files and child folders in those folders are protected.

• Do not provide file names or extensions.

• To hide folders inside a child folder, provide the path. Example:

example_child_folder\folder_name
• To hide specific files in a child folder of a default folder, use the Custom option.

f Similarly, to hide only the files in a user’s home directory or the default folders, select Files Only.

• Some of the common file extensions are provided. You can add more extensions.

Example: example_file.pdf, example_wild*.docx

• If you do not provide any file name, then the default folder is included in the query result but
enumerating that default folder will not yield any file names but just the child folder names.

g To hide removable media or hide files in a removable media, select Removable Media.

• To hide specific removable media, de-select All Removables and enter the mounted path to a
removable media.

• To hide a folder in a removable media, enter the path. You can also hide specific files in a
removable media similar to the default folders.

• Only one record is allowed per ThreatStrike profile for removable media.

h To protect the cloud-storage primary folder on the endpoint, select Cloud Storage.

• The currently supported cloud storages are OneDrive, Box, and DropBox.

• For example, if you select OneDrive, then all folders starting as onedrive are hidden in the
user’s home directory (<HomePath>\OneDrive*). As an example, this can translate to
C:\Users\jdoe\OneDrive*

• If the cloud-storage primary folder is in a different location than the user’s home directory, then
use the Custom option. This option is described later on in this section.

• To hide specific child folders in the cloud-storage primary folder, use the Custom option.

i To hide files in locations other than the default folders, use the Custom option.

• Enter the full path to the folder, wherein you want to hide files. You can use environmental
variables to define the path.

• Define the file names.

Example: example_file.pdf, example_wild*.docx, *.txt

• If you leave the file name text box empty, then the custom folder itself is hidden in the query
result.

8 Do the following to protect mapped network drives.

Attivo Cloud User Guide 135

9 Configuring Anti-Ransomware
Behavior Detection

a You can modify the default Hide Shares record. To create more records, click + next to Hide
Shares.

Tip: The file names can contain an asterisk at the end as a wild card. Extensions are mandatory when
you define a file name.

b Select All Shared Folders to hide all mounted network drives on the endpoints. Alternatively, de-
select this option and in the adjacent text box, enter the full path to the shared network folder
(including the IP address or FQDN). If you enter multiple paths, separate each with a comma.

Example: \\192.0.2.20\MyShare\Temp\jdoe, \\fileserver.acme.com\automation\tools\current

9 Configure more records as required and click Save.

10 Click Apply Changes to associate the DataCloak configuration with the protection policy.

11 Click Download to download the Attivo Endpoint Application.

Behavior Detection
Behavior Detection module of Anti-Ransomware detects ransomware activity on Windows endpoints
and in real time. Reporting includes the details of the ransomware activities and the processes involved.
Therefore, you can use this information to extend your surveillance, investigation, and remediation. For
example, you can automatically quarantine the affected endpoints in real time through an integrated
firewall. You can also investigate if the same process is running on other endpoints and so on.
In the Anti-Ransomware profile, you specify the following:
• File extensions to be protected. The Behavior Detection module responds as per your configuration if
any process (other than the ones exempted) encrypt the corresponding files.

• How sensitive the analysis should be.

• The number of decoy documents to be deployed. This is to detect malicious activity as well as to keep
the ransomware engaged to reduce the impact on production files.

• The response action if ransomware activity is detected.

How does Attivo Cloud identify ransomware?

On the endpoint, the Behavior Detection module monitors for malicious and anomalous behavior
related to files and services. That is, it looks for certain IOC. To analyze these activities, the Behavior
Detection module uses machine learning algorithms and models. Then, it grades these IOC based on
their nature and severity. A score that crosses a certain threshold can confirm ransomware activity. The
options you specify in the profile determine the threshold score and the response action.
The following are some of the IOC that contribute to the ransomware score:
• Any operation on bait files. This is considered as high-severity because these files are hidden for
legitimate users. So, any operation on these files is most likely a ransomware activity.

• Tampering or stopping services and processes.

• For example, stopping or modifying settings of security applications like mpcmdrun.exe.

• Services related to storage and retrieval of files, and scheduled tasks.

• Stopping the processes related to the usually targeted files. Ransomware stop these processes
prior to encryption to prevent the target files from being locked.

• Deleting shadow copy or tampering the settings to make backup restore difficult.

• Misuse of related Windows APIs like the ones used for cryptography.

136 Attivo Cloud User Guide

 Configuring Anti-Ransomware
Behavior Detection 9

• Entropy of files. The Behavior Detection module uses industry-standard models to determine changes
in the randomness of files. This indicates if a process is encrypting files. For this purpose, Attivo
Endpoint Application considers only the file extensions that you specify in the profile.

Points to note about Behavior Detection

• It is very important that you exclude Attivo Endpoint Application in all the endpoint security
applications like EDR and anti-virus applications. It is equally important that you exclude those
endpoint security applications in the Attivo Cloud.

Important: The popular endpoint security applications are excluded through the default allow rule.
However, as an additional precaution, recommend that you explicitly add all the applicable endpoint
security applications to an Exceptions policy. Note that you must select System Wide in the allow policy
for it to be applicable for Behavior Detection. When you exempt a process, user, or host then Attivo
Endpoint Application does not analyze any of the activities for that process, user, or host. See Configure an
allow policy.

You can also configure intercept rules (with System Wide option selected), but there are no default
intercept rules for Behavior Detection.

• Given the design of the Behavior Detection module, the chances for false-positives is practically nil.
Therefore, you do not need to create allow rules for Behavior Detection except for the security
applications. However, recommend that you deploy in Alert Only and Conservative mode to begin
with. Then, you can progress to a more impactful and sensitive configuration like Terminate Process
and Aggressive mode. See Configuring Behavior Detection.

• Generally ransomware spawn processes to evade detection. This risk is mitigated because Behavior
Detection monitors all the processes except the exempted ones.

• The functionality of Behavior Detection is local to the endpoint. Therefore, shared folders are not
considered.

• The grading of IOC is based on research and industry perception. If changes are found to be needed,
Attivo Networks™ can be alter the scores through .dat files without you having to upgrade the Attivo
Cloud software. You can download the .dat files to the Attivo Cloud from Attivo Software Upgrade
Server. However, Attivo Networks™ cannot customize the grades for a particular customer.

Configuring Behavior Detection

Recall that you configure Behavior Detection using Anti-Ransomware feature.
Before you begin:
• You have decided the file extensions to monitor.

• You have reviewed and complied with the important notes under Points to note about Behavior
Detection.
Steps:
1 Go to Configuration | Endpoint Policies | Protection Policies.

Existing Protection policies are listed.

2 Click Add to create a new Protection policy or select an existing Protection policy and click Edit.

3 Navigate to the Anti-Ransomware pane and click Configure now.

4 Go to the Behavior Detection tab and specify the details.

Attivo Cloud User Guide 137

9 Configuring Anti-Ransomware
Behavior Detection

Field Description
Behavior Detection Select to enable. If you enable or disable post deployment, the Behavior Detection runs or
stops accordingly at the next update interval (Client Group setting).
Mitigation Select the response action for Attivo Endpoint Application when ransomware activity is
detected.

Note: The response action applies only to the corresponding instance of the process
based on its PID.

• Alert only: The Attivo Cloud just displays the details of the activities in Analysis |
Endpoints | Activity (Details tab) and raises events. The details includes the process
hierarchy and activity details. However, there is no impact on the malicious process.
Recommend that you first deploy in Alert only mode to observe and make changes to
profile and exceptions as necessary. Then, you can switch to one of the following
modes, which impact the process.
• Block all I/O: In addition to alerting, the Attivo Endpoint Application blocks all input and
output operations of the malicious process and its parent processes.
• Terminate Process: In addition to alerting, the Attivo Endpoint Application stops the
process. In this case, the parent process is not impacted.
Mode Recall that Attivo Endpoint Application monitors various factors to deduct ransomware
behavior like IOC and file entropy. The Attivo Cloud internally assigns a score for each
monitored IOC. This score varies based on the perceived risk from an IOC. For Attivo
Endpoint Application to trigger the configured mitigation, the cumulative score for a user
on an endpoint must cross a certain threshold.
In Mode, select the level of sensitivity. The tolerance for malicious and anomalous
activities is least with Aggressive, medium with Moderate, and relatively higher with
Conservative.
• Conservative: The threshold score for IOC and file entropy is highest compared to
other modes. Also, Attivo Endpoint Application monitors only those IOCs that are a
definite sign of ransomware behavior. Therefore, this mode provides sufficient
protection with the least chance of reporting legitimate behavior.
• Moderate: This is a balanced mode, where Attivo Endpoint Application looks for
additional IOCs, with slightly lower thresholds for IOC score and file entropy.
• Aggressive: This option offers highest protection. If you choose this option, set the
Mitigation to Alert only for a brief time period to ensure legitimate operations are not
impacted.
File Extension Specify the extensions of files to be protected. Use a wildcard for the file name and
separate the extensions with commas. Example: *.docx,*.xls,*.pdf,*.rtf,*.zip
The file extensions server two purposes:
• Attivo Endpoint Application creates the bait files of these types.
• The Behavior Detection module monitors the entropy for these file types only.

Note: You can enter any extension as long as the length does not exceed 10 characters.

Bait File Count As explained earlier, bait files help to reliably detect infections and also to delay the
encryption of production files. You only need to enter a number. You do not need to provide
name, type, or content for these files. You can enter a value between 0 and 1000.

Note: Enter 0 if you do not want to deploy bait files.

• The file types are same as the ones you enter in the File Extension field. Consider you
entered .docx and .xlsx as the extensions and 200 as the file count. Then Attivo
Endpoint Application can deploy 100 .docx and 100 .xlsx bait files. Attivo Endpoint
Application deploys these 200 files to all the users on the system drive of that endpoint.
• The bait files are saved in relevant folders. However, none of these files are visible or
accessible to users.
• Each file can be from 1Kb to 100 Kb in size. The size is based on the file type. For
example, multimedia files can be slightly bigger.

5 Click Save.

138 Attivo Cloud User Guide

 Configuring Anti-Ransomware
File Backup 9

File Backup
As a precaution, you can schedule regular file backups in the Anti-Ransomware. This enables you to
quickly restore any encrypted or lost file without any disruption to your business.
When you configure file backup, Attivo Endpoint Application configures the native Volume Shadow Copy
Service of Windows. Therefore, at the intervals you specify, Windows takes the shadow copies of all the
volumes of the endpoint. When needed, you can restore the required volume or files from the shadow
copy.

Configuring File Backup

Recall that you configure File Backup using Anti-Ransomware feature.
Before you begin:
• Verify if Volume Shadow Copy is configured already on endpoints through some other application.
Then determine if you want to configure File Backup in the Attivo Cloud as well.

• You have identified the optimum space required for the shadow copies. You must factor in all the
endpoints you plan to cover under this Anti-Ransomware profile. If the space varies between
endpoints, you can create different profiles for different groups. However, in that case you must also
create different client groups and deploy the corresponding Attivo Endpoint Application instances on
those endpoints.

• You have determined the ideal backup interval.

• You can also protect the VSS shadow copies from being tampered by ransomware. When such
activities are detected, the Attivo Cloud can report. You can also configure Attivo Endpoint Application
to block such activities. If you want to exempt a process, user, or host in this regard, you must create
an allow rule in an exception. Similar to Behavior Detection module, you must select the System
Wide option. Intercept rules are also supported.
Steps:
1 Go to Configuration | Endpoint Policies | Protection Policies.

Existing Protection policies are listed.

2 Click Add to create a new Protection policy or select an existing Protection policy and click Edit.

3 Navigate to the Anti-Ransomware pane and click Configure now.

4 Go to the File Backup tab and specify the details.

Field Description
Backup Select to enable. If you enable or disable post deployment, the file backup is run or stopped
accordingly at the next update interval (Client Group setting).
Size Limit (1-10%) Enter a percentage of free space per volume to be reserved for shadow copy. For example,
if you enter 5, then 5% of the current free space is reserved for shadow copy. Attivo
Endpoint Application calculates the free space individually for each volume. Therefore, the
reserved space varies for volumes.
• Test this feature on some typical endpoints in your network to determine an optimum
value. You can use vssadmin commands to check the space required for the shadow
copies. Refer to Microsoft documentation for more information on Volume Shadow Copy
Service and vssadmin commands.
• Addition or deletion of volumes are handled at the next backup interval accordingly.

Attivo Cloud User Guide 139

9 Configuring Anti-Ransomware
View DataCloak Report

Field Description
Backup Interval (4- Specify the frequency for the backup. The backup is triggered at these intervals regardless
24 hours) of the status of the last backup. For example, if the endpoint is shutdown at the last
interval, the next backup is triggered only as per this setting.
Protect Backup A typical ransomware activity is to delete shadow copies. Tampering or deleting shadow
Archive copies also reveal the ransomware, which is detected by the Behavior Detection module.
You can configure how you want Attivo Endpoint Application to respond when ransomware
attempt to delete shadow copies.
Disabled: No action taken by the File Backup module. If you have configured Behavior
Detection, then the corresponding response action of that module applies.
Alert Only: The File Backup module does not prevent the ransomware from deleting the
shadow copies. However, it reports the details. You can view them in the Endpoint Reports
and Events.
Block and Alert: The File Backup module prevents the ransomware from deleting the
shadow copies and reports the activities as well.

5 Click Save.

View DataCloak Report

The DataCloak Report displays the details based on the Add Deceptive Network Shares, Protect Files &
Folders, and Protect Network Shares modes set in DataCloak. You can select the required mode and
view the data in DataCloak Report page.
Add Deceptive Network Shares

Field Description
IP Address/DNS Displays the IP address or name of the DNS server which is configured for the deceptive
Name
network share.
Password Displays the password which is present for the deceptive network share.
Username Displays the username which is present for the deceptive network share.

Protect Files & Folders

Displays the paths of the protected files, folders, and removable media files which are configured in
DataCloak.
Protect Network Shares
Displays the names of all the protected network shares.

140 Attivo Cloud User Guide

10 Deploying ThreatStrike

ThreatStrike consists of two modules:

• Inserting deceptive credentials also known as Lures

• Protecting production credentials.

Lures are deceptive tokens (breadcrumbs) or clues that you can configure on your production
endpoints. They create a false trail that lead attackers away from your real assets.
These tokens appear like normal data such as user credentials, browser credentials, browser cookies,
email client credentials, SecureShell (SSH) credentials, Windows Remote Desktop credentials, and so
on. When attackers consume these deceptive tokens during lateral movement, events are raised in
Attivo cloud.
In the endpoints, the Attivo Endpoint Application inserts the deceptive tokens for the configured
applications. For example, if you configure SMB deception content, then the SMB deceptive tokens are
stored in the default keychain on Mac clients. The intention is to store the deceptive tokens along with
real data on endpoints.
To install the deceptive tokens you must generate the Attivo Endpoint Application. You can install the
Attivo Endpoint Application on clients and servers running on Windows, Linux, and Mac operating
systems.

Note: If large number of users simultaneously login into a server (Citrix or Jump or Terminal) where
ThreatStrike feature is installed, then it is recommended to disable ThreatStrike feature.

When attackers steal information from the endpoint, they inadvertently steal these deceptive tokens as
well. Because the deceptive tokens refer to the decoys as the target servers, attackers end up targeting
a decoy IP address, thus revealing their presence in your network. In case of Windows and Linux
endpoints, Attivo Endpoint Application deceives the process to complete the 3-way handshake, the
details of which are presented in the corresponding events. In the case of Mac endpoints, Attivo
Endpoint Application updates the Attivo cloud to directly raise the appropriate events.

How to lure the attackers?

The deceptive tokens are stored along with real tokens on the endpoints. The key is to increase the
chances of an attacker using the deceptive tokens. Only then Attivo Cloud can detect and engage the
attacker.
• After attackers get a foothold in your network, they traverse laterally looking to access a prime server
containing highly valuable information. The probability of attackers using a deceptive token keeps
increasing as they steal tokens in the east-west direction.

After attackers steal tokens from the first few endpoints, the ratio of deceptive tokens against real
tokens is high enough for attackers to use at least some of the deceptive tokens.

• You can configure a proportionate number of deception tokens to be installed against the real tokens.
For example, you can configure that the deceptive tokens must be thrice that of real tokens. Then, if
there are 2 real RDP tokens in an endpoint, then Attivo cloud installs up to 6 deceptive RDP tokens
on that endpoint. This increases the ratio of deceptive tokens against real ones stored in an endpoint.

Attivo Cloud User Guide 141

10 Deploying ThreatStrike
Creating deception objects for Lures

To summarize, by creating attractive lures you can:

• Create deceptive tokens containing deceptive domain names as well as production server names.

• Create deceptive tokens for various applications operating on different flavors of Windows, Linux,
and Mac.

• Generate Attivo Endpoint Application, which intelligently inserts the deceptive tokens on the target
endpoints.

• Monitor the installation status of the deceptive tokens on the target endpoints.

• Detect the usage of stolen deceptive tokens.

• You can also choose to configure deceptive content on your AWS and Azure cloud platforms.

Creating deception objects for Lures

A deception object is an entity or a group of entities you define in Attivo Cloud. Once defined, you can
use a deception object to configure the relevant EDN features in the protection policy. For example, a
credential deception object contains fake user details. After you create the required credential
deception objects, you can use them to configure EDN features.
Deception objects act as the building blocks when you configure the related features. Deception objects
provide the advantage of re-usability and easy manageability. You can use the same deception object
in all relevant features. Also, if you edit the value in a deception object record, the change
automatically applies to all features where the corresponding deception object is used.
The first step to configure Lures is to create the required deception objects. You can create the
deception objects based on the applications for which you need to create the deceptive tokens.

Note: From the data defined in the deception objects, the Attivo Cloud internally creates up to 200 deceptive
tokens per application. At the time of installation, the Attivo Endpoint Application chooses the required
number of deceptive tokens in a random fashion from the deceptive tokens created by the Attivo Cloud. You
can view the deceptive token lot.

The following table displays the list of applications (based on the operating systems) supported by
Lures feature and the corresponding deception objects which are required to be created:

142 Attivo Cloud User Guide

 Deploying ThreatStrike
Creating deception objects for Lures 10

Operating System Application Required deception objects

Linux Mozilla Firefox • Server
• Credentials
Google Chrome • Server
• Credentials
SMB Client • Server
• Credentials
Thunderbird • Server
• Email
FileZilla • Server
• Credentials
OpenSSH • Server
• Credentials
SVN • Server
• Credentials
DNS (Domain Name Service) • Server
• Object type: DNS
Scripts & Files • Server
• Credentials
• Scripts & Files
Oracle Database (Databases) • Server
• Oracle Database
Browser Cookies (Web browser cookies) • Server
• Browser cookies
• Browser URLs
Browser Favorites (Web browser favorites) • Server
• Browser URLs

Attivo Cloud User Guide 143

10 Deploying ThreatStrike
Creating deception objects for Lures

Operating System Application Required deception objects

Windows Chromium Edge • Server
• Credentials
Mozilla Firefox • Server
• Credentials
Google Chrome • Server
• Credentials
Internet Explorer (Web browser) • Server
• Credentials
Explorer (SMB Client) • Server
• Credentials
Outlook • Server
• Email
FileZilla • Server
• Credentials
PuTTY • Server
• Credentials
LSASS (memory cached credentials) • Domain
• Credentials
Remote Desktop • Server
• Credentials
Internet Explorer (Web-based • Server
authentication) • Credentials
Browser Cookies (Web browser cookies) • Server
• Browser cookies
• Browser URLs
Internet Explorer (Web file transfer) • Server
• Credentials
• FTP profile
MySQL workbench • Server
• Credentials
MS SQL • Server
• Credentials
Browser Favorites (Web Browser Favorites) • Server
• Browser URLs
Telnet (Desktop Shortcut) • Server
• Credentials
DNS (Domain Name Service) • Server
Scripts & Files • Server
• Credentials
• Scripts & Files
ODBC DSN • Server
• Credentials
Oracle Database (Databases) • Server
• Oracle Database
Local Administrator • Credentials
MSTSC (RDP) • Server
• Credentials
MySQL Workbench • Server
• Credentials
Windows Native VPN • Server
• Credentials
• VPN Connection Name
144 Attivo Cloud User Guide
 Deploying ThreatStrike
Creating deception objects for Lures 10

Operating System Application Required deception objects

Mac Google Chrome • Server
• Credentials
FireFox • Server
• Credentials
Safari • Server
• Credentials
SMB Client • Server
• Credentials
Outlook • Server
• Email
FileZilla • Server
• Credentials
OpenSSH • Server
• Credentials
SVN • Server
• Credentials
DNS (Domain Name Service) • Server
Scripts & Files • Server
• Credentials
• Scripts & Files
Oracle Database (Databases) • Server
• Oracle Database
Browser Cookies (Web browser cookies) • Server
• Browser cookies
• Browser URLs
Browser Favorites (Web browser favorites) • Server
• Browser URLs
Outlook • Server
• Email

• If any of the application is not present on the endpoint then Attivo Cloud will not insert the
corresponding deceptive tokens (breadcrumbs) on the endpoint.

• For SSH application present on the Linux endpoint, the SSH host keys will be inserted in the
known_hosts file, only if the value for the parameter HashKnownHosts is set to 'No' in /etc/ssh/ssh/
config file.

Create the required deception objects:

• Create a decoy server deception object

• Create a credential deception object

• Create a domain deception object

• Create a browser URL deception object

• Create an email deception object

• Create a Web FTP profile deception object

• Create a browser cookie deception object

• Create VPN connection name deception object

• Create a Scripts and Files deception object

• Create an Oracle Database deception object

Attivo Cloud User Guide 145

10 Deploying ThreatStrike
Creating deception objects for Lures

Note: None of the deception objects can contain semi-colon, blank space, or comma. Also, make sure it does
not end with a special character.

Feature-deception object matrix

Review this section to understand which deception objects are required for which features. In the
following table, the heading row contains the feature names. The applicable deception objects are listed
for each feature.

Table 10-1 Type of deception objects used in EDN features

ADSecure-EP DataCloak Lures
Credentials Credentials (Users) Credentials (Users)
Servers
Emails (for Outlook and Thunderbird)
FTP (for Web File Transfer)
DNS Names Servers (to add URLs (for browser cookies and browser favorites)
(same as server deceptive network
Cookies (for browser cookies)
objects) shares on Windows
endpoints) VPN connection names (for Windows native VPN)
Oracle Databases
Domains (for LSASS)

Note:
• The EDN features not listed in the above table do not require deception objects.

• You must use the DNS policies (Configuration | Endpoint Policies | DNS Policies) to create the
server objects. See Create a decoy server deception object for the details.
• You must create the deception objects while you configure the EDN features in the corresponding
protection policies. However, for credential and Oracle database objects, you can create them at
Configuration | Endpoint Policies | Deception Objects. You can then use the same objects
across protection policies and features.

• To manage credential deception objects go to Configuration | Endpoint Policies | Deception

Objects | Credentials. See Create a credential deception object for the details.

• To manage Oracle database deception objects go to Configuration | Endpoint Policies |

Deception Objects | Oracle Databases. See Create an Oracle Database deception object for
the details.

Creating deception objects in bulk

You can create multiple deception objects in one action. For this purpose, the Attivo Cloud provides the
following options:
• Upload a CSV file, which contains the deception objects.

• Automate creation of deception objects using format specifiers.

Upload deception objects through CSV file

You can create a CSV file containing all the entities to be included in a deception object and import this
CSV file into the Manager.
Note:
• Where applicable, use the default deception objects as a reference to create the values in the CSV file.

• All the values shown in the following graphics are examples.

Steps:

146 Attivo Cloud User Guide

 Deploying ThreatStrike
Creating deception objects for Lures 10

1 Create a CSV file containing the entities as explained here.

• Credentials: Each row in the CSV file must correspond to a user record. For example, all the
details of user Joe Doe must be contained in one row. The second row must contain the credential
details of another user and so on. The details in a row must be separated by commas as indicated
in the diagram below.

For the sake of explanation and picture quality, the following diagram shows the record split into
multiple lines. However, note that all the details of a user must be defined in one row as shown above.

Password Last name Office

eschollm,Bootcamp123,Eduardo,Schollmeyer,system analyst,acme,1-541-754-3010,

User name First name Description Telephone number

Country

eschollm@acme.com,47697 Westinghouse Drive-Suite 201,94539,US,https://acme.com,

Email Address Zip code Web page

acme.com

Domain name

Note:
• The first string in a row is considered as the user name and the second string as the password and so
on.

• If you provide only the user name, then after you save the credentials record, the Attivo Cloud
automatically adds a random password for the user.

• The fields for which you do not provide values are left empty except for the password field.

Note:
• The first string in a row must be the share name, then the drive letter, and so on.

Attivo Cloud User Guide 147

10 Deploying ThreatStrike
Creating deception objects for Lures

• Servers: You can import the IP addresses of your production servers from a CSV file. Enter the URLs
of the production servers you want to include as part of lure in a CSV file. Each URL must be in a
separate row in the CSV file.

• Domains: To import the domain names from a CSV file, enter the domains in a separate row in the
CSV file.

• Browser URLs: To import the URLs from a CSV file, enter the file paths in separate rows in the CSV
file.

• Emails: Each row in the CSV file must correspond to an email ID and the corresponding password –
both separated by a comma.

• If you provide only the email ID in a row, then after you save the email deception object, the Manager
automatically adds a random password for the email ID.

• Mac Keychains: Each row in the CSV file must correspond to a keychain and the corresponding
keychain password – both separated by a comma.

• The first string in the row is considered as the keychain name and the string after the comma as its
password. If you provide only the keychain name in a row, then after you save the keychain deception
object, the Manager automatically adds a random password.

• FTP Profiles: To import FTP profiles from a CSV file, enter the FTP profiles in a separate row in the
CSV file.

• Browser Cookies: Each row in the CSV file must correspond to one cookie. That is, the first value
in a row must be the cookie name, cookie value, and cookie expiry timestamp – all separated by
commas.

Create the cookie expiry timestamp as in the default cookie group.

• AD Computers: To import the names of computers to use for AD deception, enter each computer
name in a separate row in the CSV file.

• VPN: To import the names of VPN connections to use for VPN connection name deception, enter
each VPN connection name in a separate row in the CSV file.

2 Create or edit the corresponding deception object record.

For example, to upload user credentials to an existing deception object, do the following:

a Click Configuration and select Endpoint Policies | Protection Policies.

b In the ADSecure-EP pane, click Configure Now.

c Under Privileged Administrators or Service Accounts, click inside Select Credentials

Object(s) drop-down and expand the domain in which you want to upload the credentials.

d Click the edit icon present for the required domain group.

3 In the Bulk Input section, click Browse button and select the required CSV file.

4 Verify if the entities are imported and then click Save.

148 Attivo Cloud User Guide

 Deploying ThreatStrike
Creating deception objects for Lures 10

Creating deception objects using format specifiers

1 Create or edit the corresponding deception object record.

For example, to create entities in an existing credentials deception object record, do the following:

a Click Configuration and select Endpoint Policies | Protection Policies.

b Under Privileged Administrators or Service Accounts, click inside Select Credentials

Object(s) drop-down and click Create New.

2 In the Bulk Input section, enter the format specifier in the text box.

• Use %c and %C to insert a random alphabet in lower case and upper case respectively.

• Use %d to insert a random number.

• Use %s to insert a random special character.

3 From the adjacent list, select the number of entities you want to create.

4 Click

For example, if you use %Cils%c as the format specifier and select 5 as the number of entities to
be created, the possible values are: Ailsr, Tilsd, Milsk, Oilso, Nilse.

5 Verify the list of entities the Manager created and click OK to add these entities to the corresponding
deception object.

Note:
• For all entities which have a password field, the Attivo Cloud automatically adds a random password
when you save the deception object record.

• For domains, %s is not allowed.

Create a decoy server deception object

A decoy server deception object is a collection of IP addresses or fully qualified domain names (FQDN)
of the servers you plan to use in various EDN features. For example, these FQDNs are used to create
the deceptive tokens to be installed on the managed endpoints.
The decoy server deception object contains decoy IP addresses and deceptive domain names.
You can create deceptive FQDNs (domain names) and IP addresses at Configuration | Endpoint
Policies | DNS Policies. See Specify the DNS names and decoy IP addresses

How decoy server deception objects are used?

Decoy server deception objects are required for most of the EDN features. This section explains how
they are used in Lures. Decoy servers are used to create tokens for all applications in Lures except for
LSASS and Kereberos. If you consider FTP profiles, the FQDNs in the decoy server deception object are
used as the target FTP servers.
Decoy server deception objects enable you to group decoy servers for manageability. For example, you
can create separate decoy server deception objects for your Windows and Linux production servers.
Similarly, you can create a decoy server deception object, which contains the decoy host names you
want to use for SSH.
Then, in the protection policy, as part of selecting the inputs to create lures, you select the required
decoy server deception object.
For example, to generate token for browsers, the Attivo Cloud associates FQDN from the decoy server
deception object and a user name and password from the credentials deception object.

Attivo Cloud User Guide 149

10 Deploying ThreatStrike
Creating deception objects for Lures

Important: Consider that in a Lure, you are selecting the objects to construct lures for Google Chrome
application. The credentials object you selected contains the following deceptive users: joe@acme.com,
sam@acme.com, bob@sales.acme.com. Make sure, the decoy server object contains at least one server from
each domain. In the above example, define at least one server belonging to acme.com and at least one
belonging to sales.acme.com.

To deploy Lure on Mac endpoints, you must create DNS records for the decoy FQDN. Attivo Networks
recommends that you create decoy server objects exclusively for Mac endpoints. Then, on the
production DNS servers, create DNS records for the decoy FQDN selected in these decoy server objects.

Create a credential deception object

Credential deception object consists a list of user names. Each user name has an associated password
and other details such as first name, last name, and phone number, email address, and so on. All the
features, which involve deceptive credentials make use of these details. The other details are used only
for the deceptive Active Directory.
How credentials deception objects are used?
The Attivo Cloud uses the username-password pairs from a deception object when it constructs the
deception content. For example, consider deceptive tokens (lures). The Attivo Cloud uses the
username-password pairs from the credential deception object you specify to construct tokens for the
various applications such as SMB, browser URLs, and, emails.
Uses of credentials deception objects are as follows:
• Credential deception object enables easy manageability of username records.

• Based on how you want to configure the EDN features, you would need a long list of usernames.
The credentials deception object provides methods to import usernames in bulk. Also, a default
credentials deception object is provided.

• In a credential deception object, you can just provide the usernames and save the record. The
Attivo Cloud automatically adds a realistic-looking password for those usernames.

Note: You cannot use the following strings as usernames for deception objects as they are used internally
by Attivo Cloud: apache, mysql, www, nobody, nogroup, portmap, named, rpc, mail, ftp, shutdown, halt,
daemon, bin, postfix, shell, info, guest, psql, user, users, console, uucp, lp, sync, sshd, cdrom, ossec.

This section provides the steps to create a credentials deception object and enter the usernames one by
one.
Before you begin:
For deceptive tokens to look authentic, you must define domain users in a credential deception object.
To use domain users in a credential object, you must make sure that the required domains are already
defined in a domain deception object.
The domain name you use for a user name can be one of the following:
• The deception domain name is configured on the deception AD server. For this, the Attivo Cloud
automatically creates a domain deception object when you install the deception AD.

• Default deceptive domain names are defined in the Default Domain Group deception object.

• To use the production domains, you must first define the production domains in a domain deception
object. See Create a domain deception object.

Note: Consider that in a Lure, you are selecting the objects to construct lures for Google Chrome. The
credentials object you selected contains the following fake users: joe@acme.com, sam@acme.com,
bob@sales.acme.com. Make sure the decoy server object contains at least one server from each domain. In
the above example, define at least one server belonging to acme.com and at least one belonging to
sales.acme.com.

Steps:

150 Attivo Cloud User Guide

 Deploying ThreatStrike
Creating deception objects for Lures 10

1 Click Configuration and select Endpoint Policies | Protection Policies.

Existing protection policies are listed.

2 Click Add to create a new protection policy. You can also choose to edit an existing protection policy
and add Lures configuration to it.

All the EDN features are displayed.

3 Click Configure now in the ADSecure-EP pane.

4 Under Privileged Administrators or Service Accounts section, click inside the Select Credential
object(s) drop-down box.

A dialog box is displayed.

5 Click Create New.

Add new window is displayed.

6 Enter the details in the corresponding fields.

Field Description
Name Enter a name for the domain user in the format that Attivo Endpoint Application must use
for domain users, when it installs the deceptive tokens on endpoints. For example, if you
choose UPN format, the user name is installed as dhaynes@mycompany.com on an
endpoint. If you choose NetBIOS format, the user name is installed as
mycompany\dhaynes.
Domain name Select the domain for the deceptive user names defined in this object. The list displays the
production domain names you defined at Configuration | Active Directory | AD
Configuration. Additionally, domains from all the domain deception objects are also
listed.
The production domains are listed even if you delete the AD records.
To add a non-domain user name, select None in the list.
Bulk Input Use the browse icon, navigate to the folder path and select the required csv file.
For information on how to import usernames from a CSV file, see Upload deception objects
through CSV file.

Note: Make sure the user names and passwords meet the required criteria mentioned in
the next step.

7 In the Auto Generate section,

• Use %c and %C to insert a random alphabet in lower case and upper case respectively.

• Use %d to insert a random number.

• Use %s to insert a random special character.

For information on how to create usernames using format specifiers, see Create deception objects
using format specifiers.

8 From the adjacent list, select the number of entities you want to create.

9 Click Add icon.

For example, if you use %Cils%c as the format specifier and select 5 as the number of entities to
be created, the possible values are: Ailsr, Tilsd, Milsk, Oilso, Nilse.

10 Enter a username and click Add icon.

• The username is added to the end of the list.

• Add more usernames if required.

Attivo Cloud User Guide 151

10 Deploying ThreatStrike
Creating deception objects for Lures

Note: Maximum length is 32. A user name can contain alphabets, numbers, period, underscore, and
hyphens. No other characters are supported. Also, make sure there are no consecutive underscores or
hyphens in the user name.

11 To add password and other details, select the username and click the edit icon.

Note: Minimum length is 8 and maximum is 14. The password cannot contain blank space, semicolon, or
comma.

• Use the Search box to locate a username.

• If you do not enter a password, the Attivo Cloud automatically adds a random password when you
save the credential deception object.

• Enter the following details for those usernames that you plan to use for the Active Directory deception
feature.

• First Name

• Last Name
• Description

• Office

• Telephone Number

• Email

• Address

• ZIP code

• Country

• Web page

12 To edit a single username, mouse over on the username and click edit icon.

13 To delete a single username, mouse over on the username and click delete icon.

14 To delete all the usernames, click Delete all.

15 Click Save to save the credentials deception object.

Create a domain deception object

A domain deception object contains the decoy domain names, which the Attivo Cloud uses to create
Local Security Authority Subsystem Service (LSASS) lures. Therefore, domain deception objects are
required only if you plan to create LSASS tokens through Lures.
In the domain deception object, provide the decoy domains and the corresponding NetBIOS names. To
use the decoy AD server for engagement, include the domain of the decoy AD server in this list.
Subsequently, in the Lure record, you must select the domain deception objects and credentials (user)
object to construct the lures for LSASS. If the deceptive users are domain users, then the domain name
in the credentials object and the domain deception object must match. For example, if the domain
name in the domain deception object is acme.com, the user defined in the credentials object must
belong to acme.com. For the Attivo Cloud to detect the LSASS lures, make sure you have defined these
decoy domains.

152 Attivo Cloud User Guide

 Deploying ThreatStrike
Creating deception objects for Lures 10

Make sure that the production DNS can resolve the decoy domains to the decoy IP addresses. If the
DNS resolution fails, then the other option is the SIEM agent on a compromised endpoint reporting the
failure to the SIEM. The Attivo Cloud will query the configured SIEM for failed attempts involving the
deceptive user names.

Steps:
1 Click Configuration and select Endpoint Policies | Protection Policies.

Existing protection policies are listed.

2 Click Add to create a new protection policy. You can also choose to edit an existing protection policy
and add Lures configuration to it.

All the EDN features are displayed.

3 Click Configure now in the Lures pane.

4 Click the LSASS application.

A record is created to select the decoy domain deception object and the credential deception
object.

5 Click inside Domain(s) drop-down and click Create New in the dialog displayed.

Add new window is displayed.

6 Enter the details in the corresponding fields.

Field Description
Name Enter a relevant name for the domain deception object.
For example, enter acme.com.

Note: Enter fully qualified domain names (FQDNs). Maximum length is 255. Allowed
characters are alphabets, numbers, hyphen, and period.

NetBIOS Name Enter the corresponding NetBIOS name.

7 After adding the details, click Update.

Create a browser URL deception object

A browser URL deception object contains a list of deceptive URLs and titles.
The Attivo Cloud uses the URLs and titles in a browser URL deception object to construct the deceptive
tokens for the supported browsers. The Attivo Cloud chooses an IP address or FQDN from the
corresponding decoy server deception object, a file path and title from the browser URL deception
object, username from a credentials deception object, and a cookie from the deception object to
construct a deceptive token for a browser.
In the browser URL deception object, just provide a URL. Do not provide IP address or host name.
This section provides the steps to create a browser URL deception object and enter URLs one by one.
Steps:
1 Click Configuration and select Endpoint Policies | Protection Policies.

Existing protection policies are listed.

2 Click Add to create a new protection policy. You can also choose to edit an existing protection policy
and add Lures configuration to it.

All the EDN features are displayed.

3 Click Configure now in the Lures pane.

Attivo Cloud User Guide 153

10 Deploying ThreatStrike
Creating deception objects for Lures

4 Click the Browser Favorites application. You can also choose to add Google Chrome, Chromium
Edge, and Mozilla FireFox applications.

A record is created to select the decoy server deception object and the URL deception object.

5 Click inside URL(s) drop-down and click Create New in the dialog displayed.

Add new window is displayed.

6 In the URL field, enter a URL.

For example, enter profiles/employees/index.htm#index.htm.

7 In the Title field, enter the title to be displayed on the browser.

For example, Employee Details.

Note: The URL cannot contain underscore or semicolon or blank space.

8 Click Update to save the browser URL deception object.

Repeat the above steps to add the required URLs and corresponding titles.

Create an email deception object

An email deception object is a collection of deceptive email addresses and passwords. The Attivo Cloud
uses these emails and passwords to create deceptive tokens for Outlook and Thunderbird email clients.
To construct these tokens, the Attivo Cloud chooses a decoy from the corresponding decoy server
deception object as the SMTP server.
This section provides the steps to create an email deception object and enter the email addresses one
by one.
Steps:
1 Click Configuration and select Endpoint Policies | Protection Policies.

Existing protection policies are listed.

2 Click Add to create a new protection policy. You can also choose to edit an existing protection policy
and add Lures configuration to it.

All the EDN features are displayed.

3 Click Configure now in the Lures pane.

4 Under Windows tab, add the Outlook application. You can also choose to add the Thunderbird
application under Linux tab.

A record is created to select the decoy server deception object and the E-mail deception object.

5 Click inside Email(s) drop-down and click Create New in the dialog displayed.

Add new window is displayed.

6 Enter an email ID in the Email field.

Note: Maximum length is 254. Allowed characters are alphabets, numbers, underscore, and period. Use
@ to separate the domain name and user name. For example, joe_doe@acme.com or
joe.doe1@acme.com. Make sure there are not more than one underscore or period in the email ID.

7 Add the password in the Email Password field.

• If you do not enter a password, the Attivo Cloud automatically adds a random password when you
save the email deception object.

154 Attivo Cloud User Guide

 Deploying ThreatStrike
Creating deception objects for Lures 10

• Minimum length is 8 and maximum is 14. The password cannot contain blank space, semicolon, or
comma.

8 Click Update to create the email deception object.

Create a Web FTP profile deception object

A Web FTP profile deception object contains fake folder paths, which the Attivo Cloud uses to construct
deceptive tokens for Web file transfer.
The folder paths you define in a FTP profile deception object are nonexistent. To create a deceptive
token for Web file transfer, the Attivo Cloud takes an decoy IP address or FQDN from the decoy server
deception object, an FTP folder from an FTP profile deception object, and username-password from a
credential deception object.
In the FTP profile deception object, you just need to provide the folder name. Do not provide IP address
or host name.
This section provides the steps to create an FTP profile deception object and enter the folder paths one
by one.
Steps:
1 Click Configuration and select Endpoint Policies | Protection Policies.

Existing protection policies are listed.

2 Click Add to create a new protection policy. You can also choose to edit an existing protection policy
and add Lures configuration to it.

All the EDN features are displayed.

3 Click Configure now in the Lures pane.

4 Add the Web File Transfer (IE) application.

A record to select the decoy server deception object, FTP deception object, and the credential
deception object.

5 Click inside FTP(s) drop-down and click Create new.

Add new window is displayed.

6 Enter a deceptive file path in the FTP path field.

For example, enter home/self-service/software

Repeat this step to add more file paths.

7 Click Update to save the FTP deception object.

Create a browser cookie deception object

A browser cookie deception objects contains deceptive cookie records. Each cookie record in turn
contains a cookie name, value, and expiry timestamp. You need browser cookie deception objects to
configure deceptive tokens for browser cookies.
How the Attivo Cloud constructs a browser cookie is explained as follows:
• The Attivo Cloud chooses the appropriate FQDN from the decoy server deception object and file
path from the browser URL deception path to construct the complete URL of the deception content.

Note: Deceptive tokens for browser cookies may not get installed if the FQDN contains underscore
character.

Attivo Cloud User Guide 155

10 Deploying ThreatStrike
Creating deception objects for Lures

• The Attivo Cloud chooses cookie name, cookie value, and expiry timestamp from the browser
cookie deception object to complete the browser cookie token.

So, to construct the browser cookie, the Attivo Cloud uses values from 3 deception objects –
decoy server deception object, browser URL deception object, and the browser cookie deception
object.

This section provides the steps to create a browser cookie deception object.
Steps:
1 Click Configuration and select Endpoint Policies | Protection Policies.

Existing protection policies are listed.

2 Click Add to create a new protection policy. You can also choose to edit an existing protection policy
and add Lures configuration to it.

All the EDN features are displayed.

3 Click Configure now in the Lures pane.

4 Add the Cookies (All browsers) application.

A record to select the decoy server deception object, Cookies deception object, and the URL
deception object.

5 Click inside Cookie(s) drop-down and click Create new.

6 In the Cookie Name field, enter a cookie name.

7 In the Cookie Value field, enter a random number. This cookie value will be used by the server
(which created the cookie) to remember the user who visited the site again.

8 In the Minimum Retention Period and Maximum Retention Period fields,

• Enter the range for the cookie expiry time.

• In the Minimum retention period field, enter the minimum number of days for which the
cookie must be retained. The minimum value possible for this field is 7 days and the default is
90 days.

• In the Maximum retention period field, enter the maximum number of days for which the
cookie must be retained. The default value is 365 days and the maximum value possible is 730
days.

• Attivo Endpoint Application selects a random value between the Minimum retention period
and Maximum retention period as the expiry time for the cookie. For example, you
configured 14 for Minimum retention period and 30 for Maximum retention period. The
timestamp when Attivo Endpoint Application is inserting the deceptive cookie is 4 pm on January
1. Attivo Endpoint Application picks a random value between 14 and 30 days. Assume that it
picked 15 days. Then, the expiry timestamp for the cookie is set as Jan 16, 4 pm.

• Attivo Endpoint Application computes the expiry timestamp when a deception cookie is inserted.
So, the same cookie can have different expiry timestamps for different users.

9 Repeat the above steps to create the required cookie records.

10 Click Update to save the browser cookie deception object.

Create VPN connection name deception object

A Windows Native VPN connection name deception object contains the VPN connection names which the
Attivo Cloud uses to complete the VPN token creation. The deceptive VPN connection token is deployed
at the endpoint by using the server, credentials and VPN connection name deception objects.

156 Attivo Cloud User Guide

 Deploying ThreatStrike
Creating deception objects for Lures 10

How VPN connection name deception object is used?

The Attivo Cloud chooses an decoy IP address or FQDN from the corresponding decoy server deception
object, user name from a credentials deception object and VPN connection name from the VPN
connection name deception object.
Steps:
1 Click Configuration and select Endpoint Policies | Protection Policies.

Existing protection policies are listed.

2 Click Add to create a new protection policy. You can also choose to edit an existing protection policy
and add Lures configuration to it.

All the EDN features are displayed.

3 Click Configure now in the Lures pane.

4 Add the Windows Native VPN Connection Name application.

5 Click inside VPN (s) drop-down and click Create new.

Add new window is displayed.

6 Enter the deceptive VPN connection name in the Connection Name field.

7 Click Update to save the VPN connection name deception object.

Scripts & Files deception object

Scripts & Files deception objects contain decoy documents, scripts, files, and fake file paths which the
Attivo Cloud uses to create deceptive tokens for scripts & files. Using this deception object, you can add
your own fake content in any plain text file or use the required header code and customize any plain
text file before you upload the file to Attivo Cloud.
When you use the header code, you need to provide the values for the parameters that are required to
be inserted in the scripts and files. The header code differs based on the service that you want to
customize. Depending on the service, the Attivo Cloud chooses content from the required deception
objects and replaces the values of the parameters (in the header code) with the chosen data to create
the deceptive token for decoy documents, scripts & files. For details on the parameters, see Header
parameters.

Note: If you do not use any header code and use your own fake content in the text file and upload it, then
the Attivo Cloud copies the file on the endpoint as it is without replacing any values.

A default Scripts & Files object is available. If the default object does not meet your requirements, you
can clone it and modify as required.
Note:
• Default Scripts & Files object contains scripts and files but does not contain decoy documents.

• You cannot edit the default scripts & files object.

• You can deploy deceptive tokens for decoy documents, files & scripts on endpoints using Attivo
Endpoint Application. See Deploying decoy documents on production endpoints/servers.
Deceptive Credentials usage event is generated when an attacker tries to execute the decoy script or
access configuration files.

Create a Scripts and Files deception object

This section provides the steps to create a scripts & files deception object.
Before you begin:
• You have uploaded the required decoy documents, or script / text files in Attivo Cloud.

Attivo Cloud User Guide 157

10 Deploying ThreatStrike
Creating deception objects for Lures

• For text files and scripts, either you have the fake content in a plain text file or you have updated the
header section with the required header code in the plain text file. The default header code can be
obtained by downloading any file contained in the default Scripts & Files deception object.
Steps:
1 Click Configuration | Endpoint Policies | Deception Objects.

2 Click Scripts & Files from the list of deception objects.

List of Scripts & Files deception objects (along with default Scripts & Files deception object) are
displayed. You can edit, clone, download and delete the required Scripts & Files deception object
using the corresponding buttons. Recall that you cannot edit the default scripts & files object.

3 Click Add.

Add window is displayed.

4 Enter a relevant name for the deception object.

5 Select the required object type: Decoy Documents or Scripts & Files.

Decoy Documents

Currently acceptable document file formats are .docx, .pptx, .zip, .xlxs, and .pdf. Below mentioned
are the supported applications which re-direct http callbacks embedded in the pdfs. The supported
applications are categorized based on the operating systems.

Windows

• Adobe Acrobat Reader (standalone). You need to click Allow in the popup dialog.

• Microsoft Reader (version 2.1.1 and above).

Mac OS
• Adobe Acrobat Reader (standalone). You need to click Allow in the popup dialog.

• PDF Expert (version 2.4.24 and above).

Note:

• When uploading PDF documents to insert callbacks to Attivo Notification Server, the total
number of characters of the PDF file name and email address should not exceed 80.

• Callback does not work for the pdf documents, if opened in the web browsers irrespective of the
operating systems.
• Currently, none of the applications in Linux support decoy document feature for pdf file format.

• Multiple documents can be zipped to a .zip file format and uploaded. In this case, all the
documents in the zip file will be listed separately in Attivo Cloud.

• Zip file must not be password protected.

• Callbacks inserted into the decoy documents are not deleted. Hence, it is recommended to
upload a fresh document to convert it to a decoy document.

a In the Files field, click inside the drop-down and select the required document and click + icon.
Repeat this step to add more decoy documents. This drop-down displays the decoy documents
which are already uploaded. Click Upload to upload the decoy documents additionally.

b The selected decoy document/s get added and displayed in the table.

c The table displays the following information for the uploaded decoy document/s:

• File name

• File path

158 Attivo Cloud User Guide

 Deploying ThreatStrike
Creating deception objects for Lures 10

• Notification status.

d By default, the decoy documents are stored in <HomePath>. To edit the file path and name, select
the record in the table section and click Edit. Attivo Cloud provides predefined base folders in
which you can deploy the decoy documents and script/text files on the endpoint. See Base folders

e Select the folder where you want to deploy the decoy file on the endpoint and provide the file path
including the name, and click .

You will be returned to the Add window.

f Click Notification Server Configuration to configure the Callback settings.

Notification Server Configuration window is displayed.

g Enable the Notification Server Configuration.

By default, the Server Domain field displays “Zeptotrail.com”.

h In the Email Address field, enter the email address to which the callback notification must be
sent.

i Click Save button in the Notification Server Configuration window.

You will be returned to Add window. You can edit, delete or download the required decoy
document using the corresponding buttons if required.

• To deploy the decoy document on the production endpoints/servers, you must download it first.
You must select the required decoy document and click Download. The decoy document is
downloaded as a Zip file which includes the decoy document and a .csv file (containing the SHA1
of the file).

• To download multiple decoy documents as a .zip file, select the required decoy documents and
click Download button.

• You can use the hash to configure DLP solution to check exfiltration of the decoy documents in
your environment.

• Once a document is downloaded as a decoy document, it can be deployed on the production

servers/endpoints. See Deploying decoy documents on production endpoints/servers

j Click Save button in the Add window.

Scripts & Files

a In the Files field, click inside the drop-down and select the required script or text file/s and click
+ icon. Repeat this step to add more decoy script or text files. This drop-down displays the script
or text files which are already uploaded.

• Click Manage to manage (upload, download, delete) the already uploaded script or text files.
see Manage Scripts & Files

• Click Upload to upload the script or text files additionally.

b The selected decoy script or text files get added and displayed in the table.

c The table displays the following information for the uploaded script or text files:

• File name

• Service

• File path.

Attivo Cloud User Guide 159

10 Deploying ThreatStrike
Creating deception objects for Lures

d By default, the decoy files are stored in <HomePath>. To edit the file path and name, select the
record in the table section and click Edit. Attivo Cloud provides predefined base folders in which
you can deploy the decoy documents and script/text files on the endpoint. See Base folders

e Select the folder where you want to deploy the decoy file on the endpoint and provide the file path
including the name, and click .

You will be returned to the Add window.

f You can edit, delete or download the required script or text file using the corresponding buttons if
required.

g Click Save button in the Add window.

6 All the newly added Scripts & Files deception object (decoy documents and decoy script/text files) will
get listed in the Scripts & Files deception objects page. You can download the required deception
object. The page also displays the count of the files in the deception object.

Base folders
The base folders are mapped to specific location on the endpoints as under:

Base Folder Path Mapping on Windows endpoints Path Mapping on Linux and Mac
name endpoints
HomePath %SYSTEMDRIVE%\Users\{username} /home/<username>
Desktop %SYSTEMDRIVE%\Users\{username}\Desk /home/<username>/desktop
top
Videos %SYSTEMDRIVE%\Users\{username}\Vide /home/<username>/Videos
os
Pictures %SYSTEMDRIVE%\Users\{username}\Pictu /home/<username>/Pictures
res
Downloads %SYSTEMDRIVE%\Users\{username}\Dow /home/<username>/Downloads
nloads
Documents %SYSTEMDRIVE%\Users\{username}\Docu /home/<username>/Documents
ments

You can also provide a custom folder path.

Note: Attivo Cloud only creates the last folder of the specified custom path. You must make sure all its
parent folders are created.

Deploying decoy documents on production endpoints/servers

You can deploy the decoy files on the production servers/endpoints automatically.
Steps:
1 Create a Scripts & Files deception object. See Scripts & Files deception object

2 Create a ThreatStrike Profile and select the configured deception object for the Windows: (Scripts &
Files) application.

3 Create a Protection Policy for lures.

4 Generate the Attivo Endpoint Application.

5 Install the Attivo Endpoint Application on endpoints.

This workflow will deploy the decoy files at the configured file paths using the deceptive tokens
specified in the lures.

Manage Scripts & Files

You can upload, download, and delete scripts & files from this page.

160 Attivo Cloud User Guide

 Deploying ThreatStrike
Creating deception objects for Lures 10

Steps:
1 Click Configuration | Endpoint Policies | Deception Objects.

2 Click Scripts & Files in the Deception Objects page.

3 Click Add.

4 Select object type as Scripts & Files.

5 Click Manage.

6 Click the Upload button in the Manage Scripts & Files page.

7 Select the file that you want to upload and click the Add button.

Header parameters
Recall that you can customize any plain text file using the default header code. This section details the
parameters that are required to be inserted in the scripts and files before you upload them in the Attivo
Cloud.
#service_type=FTP - Indicates the service that you want to customize. Following are the supported
services: SSH, FTP, RDP, SMB, HTTP, MYSQL, and MSSQL. This parameter is mandatory.
#credOS=WINDOWS - Indicates the endpoint OS type on which you want to deploy decoy scripts and
files: WINDOWS, LINUX, and MAC. Multiple values in the parameter must be separated by a comma.
#username=marker:"<strUser>" - Indicates the username. Attivo Cloud replaces the username
parameter value with the fake content defined in the Credential deception object.
#password=marker:"<strPasswd>"- Indicates the password. Attivo Cloud replaces the password
parameter value with the fake content defined in the Credential deception object.
#server=marker:"<strServer>"- Indicates the deceptive IP address. Attivo Cloud replaces the
server parameter value with the fake content defined in the Decoy server deception object.
#port=marker:"<strPort>" - Depending on the service, Attivo Cloud replaces the value with the
default port for the service.
#share=marker:"<strShare>” - Indicates the SMB share folder. Attivo Cloud replaces the value for
the share parameter with the fake content defined in the SMB share deception object.
#uploaded_log_file_name=
You can use this header code to specify the name for the file which you want to associate with the file
in which this header code is present.

Note: You can specify the name of only one file using this header code.

#hide_file_attribute=
• In this header code, you can specify the value as “1” to hide the file on the endpoint.

• In this header code, you can specify the value as “0” to unhide the file on the endpoint.

#hide_logfile_attribute=
• In this header code, you can specify the value as “1” to hide the associated log file on the endpoint.

• In this header code, you can specify the value as “0” to unhide the associated log file on the endpoint.

#override_json
You can use this header code to define the values for the below parameters:
• username

• servername

• sharename

Attivo Cloud User Guide 161

10 Deploying ThreatStrike
Creating deception objects for Lures

• targetlogfilename

The values specified for username, servername and sharename parameters will over ride the values
present in the endpoint JSON. The value specified for targetlogfilename will be used as the file name for
the associated log file when installed on the endpoint.
Example:
#override_json_start

"override_info": [

{"username" : "<username>", "servername" : "<servername or IP address>", "sharename" :

"<sharename>", "targetlogfilename" "<targetfilename>": "overrideLogFile.txt"
"<overridelogfile>", "port" : "<portnumber>" }

}
#override_json_end

• The values present in the existing endpoint JSON will get overwritten with the values specified above.

• The values specified for "username", "servername", and "sharename" parameters above should be
the subset of the corresponding object(s) selected for Scripts & Files deception object in ThreatStrike
profile.

Note: If you are using a header code and customizing a text file, then service_type is the mandatory
parameter. Also, at least one of the parameters other than service_type must be present in the file to
convert the uploaded text file/script to decoy script or file.

Create an Oracle Database deception object

An Oracle Database deception object contains the database name, port number, and alias names which
the Attivo Cloud uses to create deceptive tokens for Oracle database application. Database deception
objects are required only if you plan to create Oracle database tokens through Lures.

Note: To install deceptive tokens for Oracle database application, you must install Attivo Endpoint
Application in service mode.

This section provides the steps to create an oracle database deception object.
Steps:
1 Click Configuration and select Endpoint Policies | Protection Policies.

Existing protection policies are listed.

2 Click Add to create a new protection policy. You can also choose to edit an existing protection policy
and add Lures configuration to it.

All the EDN features are displayed.

3 Click Configure now in the Lures pane.

4 Add the Oracle Database application.

A record is created to add the decoy server deception object the Oracle Database deception object.

162 Attivo Cloud User Guide

 Deploying ThreatStrike
Managing deception objects 10

5 Enter the details in the corresponding fields.

Field Description
Database Name Enter a deceptive Database name.
Port Enter the port number to be used for Oracle database.
Bulk Input For information on how to import alias names from a CSV file, see Upload deception objects
through CSV file.
For information on how to create alias names using format specifiers, see Managing
deception objects.
Alias Name Enter alias name and click .

6 In the Auto Generate section,

• Use %c and %C to insert a random alphabet in lower case and upper case respectively.

• Use %d to insert a random number.

• Use %s to insert a random special character.

For information on how to create usernames using format specifiers, see Create deception objects
using format specifiers.

7 From the adjacent list, select the number of entities you want to create.

8 Click Add icon.

For example, if you use %Cils%c as the format specifier and select 5 as the number of entities to
be created, the possible values are: Ailsr, Tilsd, Milsk, Oilso, Nilse.

9 Enter a Alias name and click Add icon.

• The username is added to the end of the list.

• Add more Alias names if required.

Note: Maximum length is 32. A user name can contain alphabets, numbers, period, underscore, and
hyphens. No other characters are supported. Also, make sure there are no consecutive underscores or
hyphens in the Alias name.

Managing deception objects

You can manage (edit, clone, delete) the deception objects in Deception Objects page (Configuration
| Endpoint Policies | Deception Objects).

Edit a deception object

If required, you can edit the deception objects you have created. You cannot edit the default deception
objects. If required you can clone the default deception objects and edit as required.
Steps:
1 Click Configuration, select Endpoint Policies | Deception Objects and select the required
deception object.

2 Select the required record and click Edit button.

3 Edit the details for the deception object and click Save.

Attivo Cloud User Guide 163

10 Deploying ThreatStrike
Configure lures

Clone a deception object

If required, you can clone a deception object and modify the records as per your requirements. For
some deception objects, a default record is provided. You can clone the default record and build on it or
modify it as required.
Steps:
1 Click Configuration, select Endpoint Policies | Deception Objects and select the required
deception object.

2 Select the required record and click Clone.

Delete a deception object

You can delete the deception objects, which you do not require.

Before you begin:

The deception object you want to delete is not in use in any of the features.
Steps:
1 Click Configuration, select Endpoint Policies | Deception Objects and select the required

deception object.
2 Select the required record and click Delete.

3 Click OK to confirm deletion.

Note: You can only delete the manually created deception objects and not the default deception objects.

Configure lures
To deploy lures, create a protection policy that has Lures enabled. You can also choose to edit an
existing protection policy and include Lures in it.
Use this protection policy to generate Attivo Endpoint Application and install it on your endpoints

Create a protection policy

A protection policy is a set of rules that you can define for your feature configurations. As part of a
protection policy, you can choose to create a set of rules for different endpoint features like ADSecure-
EP, Deflect, Ransomeware, Threatpath, and Lures.
The set of rules that you create for Lures will map an application with the required deception objects.
To configure Lures, you can select the Lures option.
Before you begin:
• You have identified the applications for which you plan to create the deceptive tokens.

• You have created the required deception objects for the identified applications.
Steps:
1 Click the Configuration button and select Endpoint policies | Protection Policies.

Existing protection policies are listed.

2 Click Add to create a new protection policy. You can also choose to edit an existing protection policy
and add Lures configuration to it.

164 Attivo Cloud User Guide

 Deploying ThreatStrike
Configure lures 10

3 Click Configure Now in the ThreatStrike pane.

List of supported applications that are categorized based on the operating system are displayed.

4 To search an application, you can type the first few characters of the application name in the Search
field and select the application.

5 Under Insert Deceptive Lures tab, the rules (endpoint lures) are loaded by default for each of the
application under the Windows, Linux, and Mac tabs. The default rule will add the respective deception
objects based on the application type.

• If required, add more deceptive lures by adding the rules for the required Windows, Linux, and Mac
applications.

• To add the applications under Windows, Linux, and Mac tabs, click the + icon present for the
required application present in the Add all applications pane.

• As soon as you add an application, a rule will be created and added automatically. The rule will
add the deception objects as per the application added.
• You can add a single application up to a maximum of 5 times. After the first addition of an
application, the deceptive objects in the subsequent rules are displayed as blank so that you can
select the deceptive objects as per your requirement. The deception objects will be listed as per
the application selected.

• To add all the applications of all the supported operating systems, click the Add all in the left pane.
By default, a rule for each of the application will be created and added automatically.

• If you click the Add all applications after adding rules for certain applications, then all the
applications will be added again. However, if the applications are already added more than 5
times, then those applications will not get added.

• Only one rule can be created for the below applications.

• Scripts & files

• DNS

• Local administrators

• Kerberos

• For SMB application, you can add multiple rules with different files for different SMB shares.

• To remove all the applications, you can click Remove all applications.

• To reset the applications, you can click Reset to default(s).

Notes:

• Only one rule can be created for each of the below applications.

• DNS

• Local administrators

• Kerberos

Attivo Cloud User Guide 165

10 Deploying ThreatStrike
Configure lures

6 To add the lures in the cloud decoys that are configured, click the Settings icon and select the
applicable cloud.

7 For each of the application you can use the Settings icon to configure the number of deceptive tokens
to be inserted, enable/disable the option to update the timestamps for the deceptive tokens, enable/
disable the options to use the deceptive user credentials or the logged-in user credentials, and others.

The following table provides information specific to the fields and options present in the
Configuration window.

166 Attivo Cloud User Guide

 Deploying ThreatStrike
Configure lures 10

Count Count Randomize up to: Enter the maximum number of deceptive tokens to be inserted
per application per endpoint.
For example, if you enter 5 as the value, then Lures installs up to 5 deceptive tokens per
application on each endpoint. This ensures that not all endpoints have the same number
of deceptive tokens.
Attivo Cloud calculates a random value every time it installs deceptive tokens for an
application. Consider that the randomization value you entered is 5 and you selected SMB
and RDP as the applications. You are installing the Attivo Endpoint Application for all users
on a Windows endpoint. Currently, user1 and user2 are logged on that endpoint. Attivo
Cloud calculates a random value between 1 and 5 for SMB for user1; a different value
between 1 and 5 for RDP for user1. Similarly, it calculates the random value separately for
SMB and RDP for user2.
Count Learned Multiplier: This option maximizes the chances of attackers using stolen
deceptive tokens against the real ones. For example, if you select this option with a value
of 5, then lures checks the number of real tokens present for an application on the
endpoint.
Suppose that there is one real SMB token on an endpoint. Then, attempts to install 5
deceptive SMB tokens on that endpoint.

Note: You can install up to 10 deceptive tokens per application if you specify a value for
Count Learned Multiplier.

Refresh Select this option to regularly update the TimeStamp of the deceptive tokens on Windows
endpoints. Attackers might not choose to use old tokens. So, refreshing the TimeStamp
makes deceptive tokens appear like they are used often by users.

Important: Enabling this option runs a persistent agent on the corresponding Windows
endpoints.

Connect to decoys Select this option to connect to the corresponding S3 or File Storage decoys.
Use deception user These two options are related and determine the user names to be used in the deceptive
credentials tokens.
The user names in the deceptive tokens can be sourced from the following:
• Credential deception objects.
Use logged-on user • User names of those who are currently logged on to the endpoint.
credentials • Real user names saved on the endpoints.
You can choose to use both deceptive as well as real user names, use only the real user
names, or use just the deceptive user names.
The real user names are the user names of the logged on users and real user names saved
on endpoints. For the real user names, Attivo Cloud uses passwords from the credential
deception objects.
Use deception user This setting uses only the user names defined in the selected credential deception objects.
credentials: Selected That is, no real user names are used.
Use logged-on user
credentials: Not
selected
The following settings use the credential deception objects as well as real user names to generate the deceptive
user names for the tokens. Choosing one or more credentials deception object is mandatory for the following
settings.

Attivo Cloud User Guide 167

10 Deploying ThreatStrike
Configure lures

Use deception user The user names for the deceptive tokens are generated from the following sources:
credentials: Selected • Only for Windows endpoints: The real user names of the corresponding service,
which are saved on the endpoint. The real user names (without the domain) are used
as is. Consider that jparker and jim_parker are the user names saved in PuTTY on an
endpoint. Then either jparker or jim_parker is considered for creating the deceptive
Use logged-on user tokens for PuTTY. Preference is given to the user name that belongs to the same domain
credentials: As-is as the endpoint.

Note: The real user names are not considered for the following applications: Mozilla
Firefox, LSASS, Cookies.
In case of Internet Explorer and Google Chrome, the real user names are considered
only if the domain is the same as the domain of the logged on user.

• The currently logged on user without any modification.

• The user names in the credential deception objects.
Use deception user The user names for the deceptive tokens are generated from the following sources:
credentials: Selected
• Only for Windows endpoints: The real user names of the corresponding service,
which are saved on the endpoint. The real user names (without the domain) are used
as is. Consider that jparker and jim_parker are the user names saved in PuTTY on an
endpoint. Then both jparker and jim_parker are considered for creating the deceptive
Use logged-on user tokens for PuTTY. Preference is given to the user names that belong to the same domain
credentials: Apply as the endpoint.
default transformation
Note: The real user names are not considered for the following applications: Mozilla
Firefox, LSASS, Cookies.
In case of Internet Explorer and Google Chrome, the real user names are considered
only if the domain is the same as the domain of the logged on user.

• The user names in the credential deception objects as is.

• Currently logged on users appended with the following strings:
• administrator (only for Windows endpoints)
• root (only for Linux and Mac)
• sysadmin (only for Linux and Mac)
• admin
• sysoper
• priv
• domain
• lab
• test
• sysdb
• system
• user
• corp
• demo
• guest
For example, if a logged on user name is john, then a deceptive user name could be
john_admin.

168 Attivo Cloud User Guide

 Deploying ThreatStrike
Configure lures 10

Use deception user The user names for the deceptive tokens are generated from the following sources:
credentials: Selected • Only for Windows endpoints: The real user names of the corresponding service,
which are saved on the endpoint. The real user names (without the domain) are used
as is. Consider that jparker and jim_parker are the user names saved in PuTTY on an
endpoint. Then both jparker and jim_parker are considered for creating the deceptive
Use logged-on user tokens for PuTTY. Preference is given to the user names that belong to the same domain
credentials: Apply as the endpoint.
user transformation
Note: The real user names are not considered for the following applications: Mozilla
Firefox, LSASS, Cookies.
In case of Internet Explorer and Google Chrome, the real user names are considered
only if the domain is the same as the domain of the logged on user.

• The user names in the credential deception objects as is.

• A variation of a currently logged on user.
You must enter format specifiers or fixed static values for Attivo Cloud to create a
variation of a user name currently logged on to the endpoint.
Use %d to insert a random number, %c for a random lower-case letter, and %C for a
random upper-case letter.
As per the format specifier, characters are appended to a currently logged on user
name. For example, user john is the currently logged on user on an endpoint and you
entered %C%d as the format specifier. Then, a deceptive user name could be johnJ4.
If you enter a fixed value like a character, number or a special character, they are
appended to a currently logged on user name. For example, user john is currently
logged on user on an endpoint and you entered P9. Then, deceptive user name would
be johnP9.
The following settings use just the currently logged on user names to generate the deceptive user names.
Use deception user Only the user names who are currently logged on to the endpoint is used without any
credentials: Not modification in the deceptive tokens.
selected
For example, if jdoe is the only user currently logged on to the endpoint, and there are 10
Use logged-on user deceptive tokens inserted in the endpoint, then all these tokens have jdoe as the user
credentials: As-is name.
Use deception user The user names for the deceptive tokens are generated by appending the following strings
credentials: Not to the currently logged on users:
selected
• administrator (only for Windows endpoints)
• root (only for Linux and Mac)
Use logged-on user • sysadmin (only for Linux and Mac)
credentials: Apply
• admin
default transformation
• sysoper
• priv
• domain
• lab
• test
• sysdb
• system
• user
• corp
• demo
• guest
For example, if a logged on user name is john, then a deceptive user name could be
john_admin.

8 Click Add.

9 Based on the application type (Windows, Linux, Mac) you have added for the Protection policy, select
the respective servers, users, domains, FTPs, VPNs, and Emails whichever is applicable.

10 Click Add row to add more records for each of the application type. To remove a record, click
Remove row.

Attivo Cloud User Guide 169

10 Deploying ThreatStrike
Configuring credential protection in ThreatStrike

11 Under Protect Production Credentials tab, enable/disable protection for the production credentials
of the required Windows (supported) and third-party applications. See Configuring credential
protection in ThreatStrike

12 Click Save.

13 Click Apply Changes to associate the Lures configuration with the protection policy.

14 Click Download to download the Attivo Endpoint Application.

View Lures Report

The Lures Report displays the details such as IP Address / DNS name, Password, Username which are
present for each the application (Windows, Linux, Mac) configured in the Protection Policy.

Field Description
IP Address/DNS Displays the IP address or name of the DNS server which is configured for the selected
Name application type.
Password Displays the password which is present for the selected application type.
Username Displays the username which is present for the selected application type.

Configuring credential protection in ThreatStrike

Credential Protection feature is designed to reduce the probability of an attacker to launch an attack by
stealing the production credentials to zero.
Being part of Attivo’s Endpoint Detection Net (EDN) suite, ThreatStrike and ThreatPath features have
their own capabilities which also include the following with regards to securing of the credentials:
• ThreatStrike - using ThreatStrike, you can deploy deceptive tokens having user credentials,
browsing credentials, email client credentials, SSH credentials, Windows RDP credentials, etc., on the
endpoints. When the attackers consume these tokens during lateral movement, they end up targeting
the decoys and get engaged by the EDN Manager.

• ThreatPath - along with displaying potential lateral-movement paths, critical AD objects, and,
misconfigurations, ThreatPath also displays production and deceptive credentials (ThreatStrike)
present on the endpoints. It also reports the paths which attackers may leverage using the credentials
saved on the endpoints.

Most of the times it is not possible to remediate the credentials, and Credential Protection feature helps
you to protect the production credentials by hiding them. Since the real credentials are hidden, the
attacker will not be able to harvest any credentials using their custom tools (Mimikatz, Lazagne, etc.,).

Note: Credential Protection is supported only on the Windows endpoints. Following are the supported
Windows operating systems: Client - Windows 7, 8, 8.1, 10, Server - Windows Server 2012, Windows 2012
R2, Windows Server 2016, Windows Server 2019, Windows Server 2021, and Windows Server 2022.

Using Credential Protection, you can hide the production credentials of Windows applications and other
various third-party applications on the managed Windows endpoints.
Following table lists all the supported Windows and third-party applications in which you can protect the
credentials using Credential Protection feature:

170 Attivo Cloud User Guide

 Deploying ThreatStrike
Configuring credential protection in ThreatStrike 10

Application Application name

type
(Windows /
Third-party)
VPN Pulse Secure Desktop Client
FortiClient VPN
GlobalProtect (Palo Alto Networks, Inc.)
Remote Access Service (RAS) VPN
OpenVPN Connect
Messaging Cisco Webex Meetings
Zoom Cloud Meetings
Skype for Desktop
Skype for Business
Slack
Pidgin
Psi
Webex Teams
Microsoft Teams
Database Mssqlodbc
Clients
Oracle SQL Developer
Robomongo
Microsoft SQL Server Management Studio
MySQL Workbench 8.0 CE
DBVisualizer
MySQL Workbench
Squirrel SQL Client
PostgreSQL 12(PgAdmin 4)
Windows LSA Registry Hive
Credentials
SAM Registry
LSASS
NT Directory Service File (NTDS.DIT)
Autologon Registry
Wifi Service (wlansvc)
Pass The Ticket (PTT)
Remote MobaXterm
Admin Tools
TeamViewer
Putty
Cyber Duck
PuttyCM
Tiger VNC Viewer
RealVNC Server
RealVNC Viewer
OpenSSH (Windows)
Remote Desktop
Core FTP

Attivo Cloud User Guide 171

10 Deploying ThreatStrike
Configuring credential protection in ThreatStrike

Application Application name

type
(Windows /
Third-party)
FizeZilla Server
Any Desk
WinSCP
FTP Navigator
Tight VNC Server
FileZilla
Apache Directory Studio
Remote Desktop Connection Manager
Windows Box Sync
Credential
Vault
Credential Vault files
Internet Explorer (Version 9 and above)
Microsoft OneDrive
Cloud DropBox
Applications
Azure CLI
AWS Command Line Interface
Google cloud sdk (gcloud)
Backup and Sync (Google Cloud)
Google Drive
Browser Epic Privacy Browser
Chromium
Opera
Microsoft Edge
Mozilla
Comodo IceDragon
Vivaldi
Internet Explorer (version 8 and below)
Google Chrome
Source Code Tortoise SVN
Git
Apache Maven
Enterprise TallyPrime
Resource
Planning
Applications
Odoo
Memory Block Rekall
Dump Tools
Block Mimikatz
Block DumpIT
Browser Google Chrome
Cookies
Chromium
Microsoft Edge
Web Servers IIS Central Cert Provider

172 Attivo Cloud User Guide

 Deploying ThreatStrike
Configuring credential protection in ThreatStrike 10

Application Application name

type
(Windows /
Third-party)
IIS Application Pool
Email Clients Outlook
Windows Mail
Thunderbird
Outlook Express
KeePass KeePass
Composer Composer
iTunes iTunes
Jenkins Jenkins

Credential Protection feature hides the credentials of an application in such a way that only that
particular application will be provided the access to the file / location where the application stores and
manages all the saved credentials. For example, Chrome application stores all the saved credentials in
the credential store and only Chrome application will be provided the access to its credential store.
Therefore, any Un-authorized access to the protected credentials will be prevented.

How to protect the production credentials?

You can create a Protection policy and configure Credential Protection using ThreatStrike feature. While
configuring Credential Protection, you can choose to enable or disable Credential Protection feature for
the required applications (Windows and other third-party applications) as per your requirement.
Steps:
1 Click the Configuration button and select Endpoint policies | Protection Policies.

Existing protection policies are listed.

2 Click Add to create a new protection policy. You can also choose to edit an existing protection policy
and add Lures configuration to it.

3 Click Configure Now in ThreatStrike pane.

4 Click Protect Production Credentials tab.

List of all the supported Windows and third-party applications will be displayed in groups based on
their categories.

Attivo Cloud User Guide 173

10 Deploying ThreatStrike
Configuring credential protection in ThreatStrike

Field / option Description

1 Search an application exclusively by entering first few characters of the name of the
application.
2 Displays the total number of applications which are displayed in groups based on their
categories. You can click inside this drop-down box to view the applications displayed in
groups. You can also enable / disable the required applications / groups and click Apply.
3 Multiple: Select this option to view all the applications and application groups
irrespective of whether Alert only or Protect or Hide (hide the files with protect mode)
option is selected across the application and application groups.
Alert Only: Select this option to sort the list of application and application groups (in
which Alert Only option is enabled) by Alert only.
Protect: Select this option to sort the list of application and application groups (in which
Protection option is enabled) by Protect.
Hide: Select this option to sort the list of application and application groups (in which
Hide mode is enabled) by Hide option.
4 Show All Applications: Displays all the applications across all the application groups.
Show only recent applications (30days): Displays only the applications for which
Credential Protection (Alert only / Protect) was configured/modified recently within last
30 days.
5 Click to expand all the applications under each of the application group.
6 Click to collapse all the applications displayed in expanded mode under each of the
application group.
7 Click to go to the Exception Rules section where you can add allow rule for other
applications additionally.
8 Click to enable all the applications under each of the application group.
9 Click to disable all the applications under each of the application group.
10 Partial: Indicates that Credential Protection (Alert only / Protect) for some applications
are enabled whereas for some other applications it is disabled.
Enabled: Indicates that for all the applications across all the application groups the
Credential Protection is enabled.
Disabled: Indicates that for all the applications across all the application groups the
Credential Protection is disabled.
11 Multiple: This option indicates that Credential Protection is enabled/disabled with
various modes (Alert only, Protect, and Hide) across all application groups.
Alert Only: This option indicates that the applications and application groups are filtered
by Alert Only mode.
Protect: This option indicates that the applications and application groups are filtered
by Protect mode.
Hide: This option indicates that the applications and application groups are filtered by
Hide mode
12 Multiple: This option indicates that Credential Protection is enabled/disabled with
various modes (Alert only, Protect, and Hide) within the application group.
Alert Only: Select this option to sort the applications in which Alert Only mode is
selected within the group.
Protect: Select this option to sort the applications in which Protect mode is selected
within the group.
Hide: Select this option to sort the applications in which Hide mode is selected within
the group.

You can set Alert only, Protect, and, Hide options at both individual application level or at the
application group level.
• Alert only - with this option set, when there is an attempt to access the file / location where the
production credentials are stored, only an alert / event will be generated .

• Protect - with this option set, the credentials of the applications will be protected from un-authorized
access. Also, an alert will be reported for protecting the credential.

174 Attivo Cloud User Guide

 Deploying ThreatStrike
Configuring credential protection in ThreatStrike 10

• Hide - with this option set, the files having the credentials will be hidden in the file location and the
events are generated.

5 Under Exception Rules section, add the Allow Rules for other additional applications (processes/
services) if required.

a Click Add button.

Allow Rule dialog is displayed.

b Enter a name for the Rule in Rule Name field.

c Add the optional description in Description field.

d Select the required application and application groups in Select Application & Groups field.

Refer the example of configuration to understand how the Allow Rule configuration works.

e To add all the Processes/Services, User, and, Host categories in the Rule, click Add All in the left
pane. To add more categories, use the + icon.

f In the Process / Service category, click Settings icon.

Process/Service dialog is displayed.

g Enable Is Service option if you are adding a service in the Allow Rule configuration. If you enable
this option, you must provide a name for the service in the Service Name field. The configured
service will be excluded as exception.

h Enable Include Sub-directory option, if you want to automatically exclude all the sub-directories
of the process path or the working directory of the process.

i Enable Allow all children option, if you want to automatically exclude all the child processes
under the main process.

j Click OK button.

k Click Save button in the Allow Rule dialog to save the Allow rule configuration.

• To edit a rule, select the required rule and click Edit button.

• To clone a rule, select the required rule and click Clone button.

• Select a rule and click the vertical three dot icon to enable / disable the rule or to delete the rule.

• Click Refresh button to refresh all the listed Allow rules.

• To search an application exclusively, enter the first few characters of the name of the application in
the Search field.

6 Click Save.

7 After configuring Credential Protection for the required applications, you must generate the Attivo
Endpoint Application and deploy it on the Windows endpoints where you want to protect the
credentials.

Attivo Cloud User Guide 175

10 Deploying ThreatStrike
Configuring credential protection in ThreatStrike

176 Attivo Cloud User Guide

11 Deploying Deflect

Once an attacker is inside the network, he starts to move laterally looking for key targets with valuable
data. To determine key targets, the attacker may do a network reconnaissance probing for active hosts
and services on the network. Since an attacker typically has least information about the network, the
attack attempts may fall on incorrect targets leading to failed connections.
Deflect is an EDN feature in Attivo Cloud delivered by the Attivo Endpoint Application installed on the
endpoints. With the Deflect feature, every endpoint on the network becomes a decoy. Any connection
attempt by an attacker to a non-existing service on an endpoint can be detected and redirected to
Attivo Cloud. This feature almost closes any opportunity for an attacker to move laterally inside a
network.

How does Deflect work on an endpoint?

Let us consider the below two types of connections that an endpoint can have:
• It can receive connection attempts from other systems. This is incoming traffic to the endpoint, that
is trying to establish a connection with it.

• It can be an infected endpoint that has a malicious process running on it. It can initiate outgoing traffic
and try to establish a connection with other endpoints on your network.
These incoming and outgoing connection attempts could be targeting services that may not even exist
on endpoints or systems and hence resulting in failed connection attempts. You can use deflect to
detect and engage such failed connection attempts going to and from an endpoint.

Configure Deflect on an endpoint

You can configure Deflect on an endpoint for its incoming and outgoing connections separately or you
can choose to configure deflect in both directions on the same endpoint.

Deflecting inbound failed connections

To detect and engage incoming failed connection attempts to non-existing services on an endpoint,
configure deflect in the Inbound direction.
Configure deflect in the inbound direction on entities like Servers in your Network, which the attackers
typically choose to probe and gather information.
Deflect is triggered if,
• The failed incoming connection attempt to non-existing services on the endpoint matches the rule that
you defined in your deflect profile settings.

• There is a port reconnaissance activity of failed connections on that endpoint and it matches the rule
that you defined in your deflect profile settings.

You can define rules that trigger deflect for incoming connection attempts. Using these rules you can
customize and control what incoming connections you want to redirect. See Under Rules section, add or
edit the rules..

Attivo Cloud User Guide 177

11 Deploying Deflect
Deploying Deflect

Deflecting outbound failed connections

To detect and engage outgoing failed connection attempts by any endpoints in your network, that are
trying to access non-existing services on other endpoints, you should configure deflect in the
Outbound direction for such endpoints.
Configure deflect in the outbound direction on endpoint systems in your network which might be
accessed by unauthorized personnel outside your network and there by gain entry in to your network.
Deflect is triggered if,
• The endpoint is trying to establish outgoing connection attempts to non-existing services on other
endpoints matches the rule that you defined in your deflect profile settings.

• This endpoint is performing any port reconnaissance activity of failed connections on other endpoints
and it matches the rule that you defined in your deflect profile settings.

• This endpoint is performing any port or IP reconnaissance activity of failed connections and it matches
the rule that you defined in your deflect profile settings.

You can define rules that trigger deflect for outgoing connection attempts. Using these rules you can
customize and control what outgoing connections you want to redirect. See Under Rules section, add or
edit the rules.

Deploying Deflect
To deploy Deflect, create a protection policy that has deflect enabled. You can also choose to edit an
existing protection policy and include Deflect in it.
Use this protection policy to generate Attivo Endpoint Application and install it on your endpoints.

Create a protection policy

A protection policy is a set of rules that you can define for your EDN feature configurations. As part of a
protection policy, you can choose to create a set of rules for different endpoint features like ADSecure-
EP, Deflect, Ransomware, ThreatPath, and Lures.
To configure the rules for Deflect, follow these steps.
Steps:
1 In Attivo Cloud, click Configuration and select Endpoint policies | Protection Policies.

Existing protection policies are listed.

2 Click Add to create a new protection policy. You can also choose to edit an existing protection policy
and add Deflect configuration to it.

3 Click Configure now in the Deflect pane.

4 To enable Deflect on the endpoints for

• Redirecting or alerting incoming failed connection attempts to non-existing services on the

endpoint, select Inbound.

• Redirecting or alerting outgoing failed connection attempts originating from this endpoint,
targeting non-existing services on other endpoints, select Outbound.

5 Configure the Inbound and Outbound settings under corresponding sections.

178 Attivo Cloud User Guide

 Deploying Deflect
Deploying Deflect 11

Field Description
Inbound
Configuration
Recon settings Deflect after
Enter the number of non-existing services to be scanned by an attacker to detect
reconnaissance activity. This is called as Connection Threshold.
For example, if you set this threshold to 4, it will be considered a reconnaissance activity
for deflect only if 5 or more non-existing services or ports are targeted.
Failed connections detected in seconds
Enter the time interval in seconds within which the connection threshold has to be met.
This is called as Detection Interval.
For deflecting outbound connections, the connection Threshold is tracked per application.
For example, from an endpoint, if PowerShell has made 2 connection attempts to non-
existing services, and putty has made 3 connection attempts to non-existing services, then
the connection attempts are not considered as 5.
Event Suppression Event Suppression
Enable to stop raising events on Attivo Cloud for any subsequent reconnaissance events
from an attacker.
Suppression Duration
Enter the time interval in minutes for which events will not be raised if there are any
subsequent reconnaissance events from an attacker.
Outbound
Configuration
Recon settings Deflect after
Enter the number of non-existing services to be scanned by an attacker to detect
reconnaissance activity. This is called as Connection Threshold.
For example, if you set this threshold to 4, it will be considered a reconnaissance activity
for deflect only if 5 or more non-existing services or ports are targeted.
Failed connections detected in seconds
Enter the time interval in seconds within which the connection threshold has to be met.
This is called as Detection Interval.
For deflecting outbound connections, the connection Threshold is tracked per application.
For example, from an endpoint, if PowerShell has made 2 connection attempts to non-
existing services, and putty has made 3 connection attempts to non-existing services, then
the connection attempts are not considered as 5.
Sweep Threshold
Enter the number of non-existing IPs to be scanned by the attacker to detect
reconnaissance activity.
Event Suppression Event Suppression
Enable to stop raising events on Attivo Cloud for any subsequent reconnaissance events
from an attacker.
Suppression Duration
Enter the time interval in minutes for which events will not be raised if there are any
subsequent reconnaissance events from an attacker.

6 Under Rules section, add or edit the rules.

These rules define any specific conditions that you may want to define to customize your Deflect
configuration. For the rule match, you can also define actions to be performed by Attivo cloud.

Important: In Deflect configuration, set of default inbound and outbound rules are provided. These
default rules contain a recommended set of minimum services configured to redirect the failed connection
attempts to non-existing services.
The four default outbound rules included here have been set to deflect and they are configured to cover
your internal network address space. However, if your address space is different from the ones mentioned
here, we recommend that you replicate these outbound rules with your own address space.

Attivo Cloud User Guide 179

11 Deploying Deflect
Deploying Deflect

7 Click Add to add Deflect Rules.

8 Enter a name for the rule.

9 From Type, select Inbound, Outbound.

10 Specify what action needs to be taken if the rule is matched.

Field Description
Allow traffic Select this option to allow traffic for this particular condition.
Attivo Cloud will not raise any events and will not redirect connection attempts for this
setting.
Example:
Use this condition to configure settings to allow traffic from or to a TCP source port that is
performing a Tanium scan.
Deflect on Rule Select this option to detect the failed connection attempts to non-existing services, that
Match match this rule.
Use this rule when you do not want anyone probing a particular service and want to be
notified on the first hit of a closed port.
Examples:
Type: Inbound:
Action: Deflect on Rule Match
• Configure this setting to engage or alert when an attacker tries to connect to MSSQL
service on an endpoint system where it is not installed.
• Configure this setting for entities like Data Centers that contain only server applications
to detect any potential connection attempts to access services which typically do not
exist on a data center.
Type: Outbound:
Action: Deflect on Rule Match
• Configure this setting for entities like endpoints in your network to detect suspicious
activities like, employees trying to access a Oracle database server.

Note: When you configure Deflect on rule match, factor in all the ports that legitimate
traffic might target for a protocol.
Consider you configured an inbound Deflect on rule match rule for port 80 on an SMB
server (port 80 is closed on this server because you want to allow traffic only to port 445
and 139). Some Windows clients attempt to connect to TCP port 80 in addition to port
445, 139, and 137. In this case, Attivo Endpoint Application detects and deflects the
traffic targeting port 80 (if port 80 is closed) though the traffic is legitimate.

180 Attivo Cloud User Guide

 Deploying Deflect
Deploying Deflect 11

Field Description
Deflect on port Select this option to detect and when there is a rule match and when there are incoming
reconnaissance port reconnaissance activity of failed connection attempts on this endpoint.
If you use this setting, the detection will happen only when scans are triggered on multiple
closed or non-existing ports. This setting is more conservative than the previous rule
match setting.
This setting depends on the Connection Threshold (Deflect After) defined in the .
Deflect is triggered once the reconnaissance activity of failed connection attempts exceed
the number defined in the Connection Threshold (Deflect After).

Examples:
Type: Inbound
Action: Deflect on Port Reconnaissance
Configure this setting to deflect or alert, when there is a possibility that employees can
attempt to connect to the wrong servers.
The employees can sometimes connect to wrong servers by mistake. To eliminate false
positives, define a higher Connection Threshold (Deflect After) like 4. Deflect is triggered
only on the fifth failed reconnaissance connection attempt.
You can configure this as a default setting for endpoint systems in your user network.

Select this option to deflect when there is a rule match and when this endpoint is
performing port reconnaissance activity of failed connection attempts on other endpoints
in the network. Deflect is triggered and event is raised only when there are multiple failed
connection attempts.

Type: Outbound
Action: Deflect on Port Reconnaissance
Configure this setting for your internal networks to limit port scanning to only internal
networks.
Deflect on port or IP Select this option to deflect when there is a rule match and when this endpoint is
reconnaissance performing port or IP reconnaissance activity of failed connection attempts on other
endpoints in the network.
This setting depends on the Connection Threshold (Deflect After) defined in the .
Deflect is triggered and event is raised once the reconnaissance activity of failed
connection attempts exceed the number defined in the Connection Threshold (Deflect
After).
This setting should only be used for internal networks, for example RFC1918 addresses or
any other addresses relevant only to your internal networks.
This setting is more conservative than both the previous settings.

Examples:
Type: Outbound
Action: Deflect on port or IP reconnaissance
Configure this setting to deflect failed connection attempts that are accessing IP addresses
which do not exist in your network.
Configure this setting to deflect and engage any malicious activities performed by an
endpoint by using an IP scanning tool.

Important: When executing the rules, the following precedence is followed.

1. Rules with action as Exceptions (Whitelist).
2. Rules with action as Deflect on rule match.
3. Rules with action as Deflect on Port Reconnaissance.
Within each rule category, the best matched or the more specific rule is given higher precedence over a less
specific rule.

Attivo Cloud User Guide 181

11 Deploying Deflect
Deflect events

11 Enter the following details.

Field Description
Source ports Enter a source port.
For example, you can whitelist a TCP source port that is performing a scan such as a
Tanium scan. So when the action is set to Allow Traffic and the Source Port is set to a
TCP port, this port will be excluded.
Windows Service Enter the name of the Windows service that you want to whitelist such as mstsc.
Process Enter the name of the process that you want to whitelist. This could be a Windows or a
Linux process. Enter either the process name or full path of the process. For a Windows
process, if you want to whitelist Outlook, you can enter outlook.exe. You can also enter
the complete path
C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Source Configure the IP address or CIDR when you want to restrict detection and engagement to
limited number of source endpoints.
Destination Configure the IP address or CIDR to engage or detect only specific set of services applicable
in that network. For example if you have a IoT subnet, you can configure rules only to
detect or engage IoT applications in that subnet for Deflect.
Destination Port(s) Enter the destination port number. When the Actions is set to Allow Traffic, the
destination port number entered here will be excluded.
You can enter multiple port numbers also. For entering multiple port numbers, separate
each of the port number by a comma.

12 Click Add to add the Rule. You can click Reset to reset the rule.

You will be returned to Deflect Configuration page.

13 You can choose to edit, delete, or clone an existing rule.

14 Click Save to save the Deflect Configuration.

Deflect events
To view the events raised for Deflect feature, select Analysis | Events.

182 Attivo Cloud User Guide

12 ThreatPath

After the initial breach, attackers traverse laterally across the network looking for high-value targets to
steal and ex-filtrate data. ThreatPath is part of Attivo’s Endpoint Detection Net (EDN) suite.
ThreatPath’s main purpose is to detect and display the potential lateral-movement paths, which
adversaries can exploit.
Capabilities of ThreatPath include:
• Detecting potential lateral-movement paths: The Attivo Endpoint Application instances gather and
send the required data to Attivo Cloud. The ThreatPath module in Attivo Cloud analyzes this data to
correlate and identify the potential lateral-movement paths. ThreatPath identifies the exposures, and
then derives attack paths based on saved credentials and vulnerable network shares present in the
endpoints. Attivo Cloud then presents these potential paths in a card view, from which you can drill
down to the tabular format for the details and the narrative. In ThreatPath, you can also drill down to
view the user details and network details in each endpoint.

• Displaying critical AD objects: Attivo Cloud queries the production AD servers at the configured
intervals for privileged user accounts, service accounts, and delegated admins (that is, shadow
admins or ACLs). This functionality enables you to keep track of these critical AD objects. Note that
this data is retrieved directly from the AD servers.

• Display the production and deceptive credentials on endpoints: Attivo Endpoint Application gathers
and sends the production and deceptive user names, services on an endpoint, and other details. You
can monitor if a sensitive user credential like a server administrator is saved in any of the endpoints.
You can also understand if ThreatStrike deceptive credentials are in place.

• Remediate the exposures detected by ThreatPath: Instead of having to wait for the IT team to
remediate the cause of lateral-movement paths, you can configure Attivo Endpoint Application itself
to remediate. For example, you can configure Attivo Endpoint Application to delete the corresponding
saved credential in the vulnerable endpoint.

• Ignore the exposures you define: For the known lateral-movement paths, you can create exception
rules. Then, ThreatPath does not provide the details for such exposures.

Summary of how ThreatPath works

A high-level summary of how ThreatPath works is as follows:
1 EDN features including ThreatPath require an active Attivo CloudLink. For example, Attivo Cloud
queries the AD servers in your network through Attivo CloudLink. For more information on Attivo
CloudLink, see Deploy Attivo CloudLink

2 In Attivo Cloud, provide the details of the AD servers for which you want to monitor through
ThreatPath.

3 Review the default settings for ThreatPath and customize them if required. Also, create ignore
(exceptions) and remediation rules as required.

Attivo Cloud User Guide 183

12 ThreatPath
Summary of how ThreatPath works

4 Generate Attivo Endpoint Application and install it on the required production endpoints. Such
endpoints are referred to as managed endpoints.

Attivo Endpoint Application gathers the required data from the endpoint and updates Attivo Cloud.
The data gathered by Attivo Endpoint Application includes the IP address and active connections
with other managed endpoints.

The data sent by Attivo Endpoint Application is discussed in detail in the subsequent sections.

5 At the configured intervals, the ThreatPath analysis engine in Attivo Cloud collects and correlates the
data sent by each Attivo Endpoint Application. Based on this analysis, Attivo Cloud identifies the
exposures and provides the details under Analysis | Endpoints | ThreatPath.

Consider that a managed endpoint A contains RDP credentials for endpoint B saved in its
Credential Manager. Attivo Endpoint Application updates Attivo Cloud that endpoint A has the
credentials to access endpoint B over RDP. The implication is that if an attacker compromises
endpoint A, the attacker can steal the RDP credentials and laterally move on to endpoint B.

ThreatPath details this exposure including the endpoint details, logged on user name, and so on.
You can group, filter, and sort the information as per your requirements. With these options, you
can pivot the data to view the potential threats from varied perspectives.

Note: ThreatPath is for detecting possible lateral-movement paths within the enterprise network.
ThreatPath does not show paths to any domain or server on the Internet that is outside your enterprise
network. For example, ThreatPath does not process saved credentials of google.com. However, it does
detect paths to resources in your private cloud. Subsequent sections discuss the ThreatPath routes in
detail.

In addition to lateral-movement paths, ThreatPath also details AD-related data - the current
privileged accounts, service accounts, and delegated (shadow) admins from the configured
production AD servers. This functionality enables you to keep track of these sensitive user
accounts. For example, you can check if any delegated admins were created in the last 7 days.

Note: At the configured interval, Attivo Cloud (not the endpoints) queries the AD for the privileged
accounts, service accounts, and delegated admins.

6 The previous point explained for just one endpoint. Similarly, ThreatPath provides the details of
possible paths from all the endpoints on which you have installed the Attivo Endpoint Application.

7 In service mode, Attivo Endpoint Applications sends updates to Attivo Cloud at the configured
intervals. ThreatPath re-analyzes the collected data at a configured interval and displays the updated
paths.

8 Using pre-defined rules, you can configure ThreatPath to automatically trigger remediation. You can
also trigger remediation for the required paths.

184 Attivo Cloud User Guide

 ThreatPath
Summary of how ThreatPath works 12

Figure 12-1ThreatPath - an overview

Important notes
• Attivo Endpoint Application for ThreatPath works on Windows, Linux, and Mac endpoints. To know the
list of supported Windows versions, see Installation on a Windows endpoint. Attivo Endpoint
Application is not supported on Kali Linux. In case of Mac, the endpoint must run a 64-bit Mac OS.

Note: If large number of users simultaneously login into a server (Citrix or Jump or Terminal) where
ThreatPath feature is installed, then it is recommended to disable ThreatPath feature.

• The lateral-movement paths detailed in ThreatPath are possible attack paths. Attackers may or may
not be exploiting these paths currently.

• An endpoint on which Attivo Endpoint Application is not installed is referred to as unmanaged

endpoint.

A managed endpoint is one on which Attivo Endpoint Application is installed in the service or non-
service mode.

• ThreatPath displays endpoint details (network details, logged on user name, and so on) only for
managed endpoints.

• For ThreatPath to identify a path, the corresponding path rules (at Configuration | Endpoint Policies |
ThreatPath | Path Vulnerabilities) must be in enabled state. By default, all these rules are enabled.

Attivo Cloud User Guide 185

12 ThreatPath
How can ThreatPath help to protect your network?

• ThreatPath can display up to 225,000 records. However, there are upper limits per exposure as
detailed below.

• Same password: 25000 paths

• Exploiting domain admin credentials: 25000 paths

• Exploiting enterprise admin credentials: 25000 paths

• Saved credentials (SMB, RDP): 50000 paths

• AD user or AD group added as a local admin user or local RDP group: 50000 paths

• Web internal: 25000 paths

• SMB critical share: 25000 paths

How can ThreatPath help to protect your network?

• Bird’s-eye view of the network: The overall view provided by ThreatPath can enable security
analysts to understand their network better.

• Focus on areas which needs your attention first: A common challenge when monitoring large
networks is finding out where to focus first. In ThreatPath, you can view the risks and vulnerabilities
currently in your network and then prioritize your actions items.

• Be aware of the high-value AD objects: Privileged accounts, service accounts, and shadow/
delegated admins are the most sought after by attackers given the scope and nature of these
accounts. Also, tracking these accounts can be a daunting task. For example, consider making a list
of all the current shadow admins (users with ACLs) in your organization.

ThreatPath lists the AD data - privileged accounts, service accounts, and ACLs (shadow admins)
with the relevant details. You can use this feature to monitor for any abnormal activity like a
sudden surge in the number shadow admins. You can also be aware of the current status. For
example, you can find out what are the unmanaged service accounts in your network.

• Remediate right at the discovery time: You can create rules to automatically remove credentials
corresponding to exposures. In the remediation rule, you define the criteria for remediation. For
example, you can define the network AD or network details of the source and destination endpoints.
You can also select the exposure type. When the Attivo Cloud identifies an attack path meeting a
remediation rule, it instructs Attivo Endpoint Application to delete the corresponding credential from
the source endpoint.

You can also manually trigger remediation from Analysis | Endpoints | ThreatPath | Paths.

• Be proactive instead of reactive: Instead of responding to events, you can proactively monitor
your network for lateral-movement paths. This way you can preempt any attempts to steal data.

• Perpetual penetration testing: The insights from ThreatPath are similar to what you would get
from an expert penetration testing team. The advantage with ThreatPath is that it is automated,
continuous, and comes with a remediation option.

How to deploy ThreatPath?

Before you deploy ThreatPath, make sure there is an active Attivo CloudLink in your network. To verify,
go to Analysis | Endpoints | Managed Endpoints and click CloudLink in the tabular section. Check
if the Status shows as Active. If not, redeploy Attivo CloudLink. Alternatively, select another endpoint
that qualifies for CloudLink functionality and select Migrate CloudLink. See Deploy Attivo CloudLink
The high-level steps to configure and deploy ThreatPath are as follows:

186 Attivo Cloud User Guide

 ThreatPath
How to deploy ThreatPath? 12

1 Configure Active Directory server details.

2 Define the ignore and remediation rules.

3 Customizing path vulnerabilities.

4 Configure the ThreatPath advanced features.

5 Generate and install Attivo Endpoint Application. See Deploying Attivo Endpoint Application.

Configure Active Directory server details

This configuration applies to all AD-related EDN features.
For example, in case of ThreatPath, the Attivo Cloud uses AD-related details of the discovered
endpoints for its analysis. For example, ThreatPath shows the domain and OU to which an endpoint
belongs. Similarly, ThreatPath obtains the domain, OU, and group details of the logged on user and
user names in the saved credentials.
To obtain the AD-related details, Attivo Cloud queries the corresponding AD DS. Attivo Cloud caches the
information it obtained from the AD DS to reduce the number of AD queries.’
The AD user, which Attivo Cloud uses to query domain controllers just requires read-only privileges to
the domain but also must have privileges to access WinRM on the domain controllers.
Before you begin:
Make sure you have the following details:
• The Fully Qualified Domain Name (FQDN) of the domain that the Attivo Cloud must query. The
endpoint hosting Attivo CloudLink must be able to resolve this FQDN.

• You have the user name and password of a user belonging to the root domain. This user just needs
read-only access on the AD but also should be able to use the WinRM service on the domain
controllers.
Steps:
1 Open the Add Active Directory Server dialog.

If you are in the Startup Wizard, go to the third task, which is Active Directory.

Alternatively, go to Configuration | Active Directory | AD Configuration and click Add.

2 Add the details of an AD server.

Attivo Cloud User Guide 187

12 ThreatPath
How to deploy ThreatPath?

Table 12-1 AD server details

Field Description
DC FQDN/IP Enter the FQDN or the IP address of one of the domain controllers. This can even be a read-
only domain controller.
Example: adserver.acme-corp.com

Note:
If you select the SSL option, then you need to provide the Fully Qualified Domain Name
(FQDN) in this field. AD authentication fails if the host name in the FQDN doesn’t match
the Subject Name or the Subject Alternate Name in the SSL certificate. IP address will
work provided it is available in the Subject Alternate Name.

FQDN is required even if you do not select SSL option, but LDAP signing and channel
binding is enabled on the AD server.

Even if you provide the IP address, the endpoint that hosts Attivo CloudLink must be able
to resolve the corresponding domain. This is because the ADAssessor module uses the
domain name in some of the queries. For example, ADAssessor uses the FQDN of the do-
main controllers in its queries.

Username Enter the user name the Attivo Cloud can use to query the domain. This user name needs
just read-access to query the root domain but should have privileges to use the WinRM
service on the domain controllers. For information on how to enable WinRM privileges for
a user, WinRM access to Domain Controller.
You can enter the user name in these 3 formats: UPN, NetBIOS, or just the user name.
UPN format: For example, if the configured domain is acme.com, you can enter jdoe@ac-
me.com as a user name.

Note: In the UPN, you can also enter an alternative UPN suffix (domain alias).

NetBIOS format: If the configured domain is sales.acme.com, and the corresponding

NetBIOS for the domain is SALES, you can enter SALES\jdoe. (SALES.ACME.COM\jdoe
is not valid).
Only the user name: For example, if the configured domain is sales.acme.com, you can
enter jdoe. In this case, the Attivo Cloud considers the user name as jdoe@sales.ac-
me.com.

Tip: Recommend that you configure an unmanaged service account because a normal
user account can be impacted by security policies like password expiry.

Password Enter the corresponding password.

Domain name Enter the FQDN of the domain or the sub domain.
Example: acme-corp.com
Encryption method Select SSL to encrypt the traffic between Attivo Cloud and Windows Active Directory.

Note: This option is for encrypting the traffic to and from the Active Directory and is dif-
ferent from the encryption done by Attivo CloudLink.

CA-signed Select if the certificate is signed by a CA. In case of self-signed certificate, Attivo Cloud
automatically adds the certificate to the trusted list.
LDAP Port Enter the port number Attivo Cloud should use to communicate with the Windows Active
Directory.
Make sure the correct port number is entered. If SSL is enabled, the default port is 636,
else the default port is 389.
Referral Select to enable referral chasing to query the sub-domains.
ADAssessor: This is specific to ADAssessor feature. Attivo Cloud assesses the corresponding domain
Include All domains only if you select this option.
Attivo Cloud discovers subdomains and displays them in the UI as part of the AD topology.
However, Attivo Cloud queries and assesses the subdomains only if you select this option.
Else, it assesses only the domains you configure.
If you select All Domains, then select Referral too because ADAssessor Dashboard re-
quires Referral option to be selected to display certain data in the ADAssessor Dashboard.

188 Attivo Cloud User Guide

 ThreatPath
How to deploy ThreatPath? 12

Table 12-1 AD server details

Field Description
Access Over Trust Select if you want to configure a trusting domain in a different forest. This option is
relevant if you want to assess or protect a trusting domain using the credentials of a user
in the trusted domain.
Consider that summer.com is a domain in Forest B, which trusts spring.com in Forest A. If
you want to configure ADAssessor or ADSecure-EP for summer.com using a credential like
user@spring.com, then select this option.
• Trusting Domain Name: Enter the domain name like summer.com.
• Trusting Domain DC FQDN: Enter the FQDN of a DC of the trusting domain. Do not enter
an IP address. For example: adserver.summer.com

Note: You must create records for each trusting domain. For example, to configure 5
trusting domains, you must create one for each. You must also create one for the trusted
domain, in which you must keep the Access Over Trust disabled.

Save & Test Connec- Attivo Cloud tests if it is able to access a domain controller before saving the details.
tion

3 If you are using the Startup Wizard, click Next and wait for Attivo Cloud to learn the AD and gather
data for analysis.

Notes:

• Attivo Cloud queries all the configured domains at this time serially. Until Attivo Cloud completes
querying all the reachable domains, related operations such as modifying ADSecure-EP profiles are
not allowed. The following error message is displayed: Error while fetching profile details.
Error: AD data is being refreshed.

• If you add a new record, then Attivo Cloud queries only the newly added domain immediately.

• If you edit a record, then also Attivo Cloud immediately queries only the domain present in the
record that is being edited but, in addition to querying the domain immediately, the Attivo Cloud
also queries the domain again at Saturnday 4 am UTC.

• If you delete a record, all the data related to that domain are deleted in Attivo Cloud.

• If the Attivo Cloud is unable to retrieve data from the production AD servers, a fault is raised. You
can view the fault at Configuration | System | Fault Logs. With the details in the fault, you can
troubleshoot further by referring to https://ldapwiki.com/wiki/
Common%20Active%20Directory%20Bind%20Errors

Define the ignore and remediation rules

You must create ThreatPath rules to define the criteria for the following:
• Paths that are to be ignored. See Paths to be ignored.
• Paths that are to be remediated automatically. See Remediation rules.

Paths to be ignored
There could be some paths that you want ThreatPath to ignore. That is, you do not want ThreatPath to
display those paths. For example, you can configure ThreatPath to ignore the paths that you expect to
commonly find in your network. This not only saves Attivo Cloud resources but also avoids cluttering of
ThreatPath with unwanted paths.

Remediation rules
The attack paths displayed in ThreatPath exist due to saved credentials and shared folders present on
endpoints. Given the risk, you might want to remediate some of the exposures displayed by
ThreatPath. When you remediate an exposure, the Attivo Endpoint Application installed on the endpoint
deletes the corresponding saved credential, removes the sharing of folders, or removes write
permissions to a folder.

Attivo Cloud User Guide 189

12 ThreatPath
How to deploy ThreatPath?

From ThreatPath, you can trigger remediation in two ways:

• Create remediation rules such that remediation is automatically triggered when ThreatPath discovers
an attack path as per pre-defined rules. Steps to define ThreatPath rules provides the procedural
information on how to create remediation rules.

• You can manually trigger remediation from the Paths tab. Expand a card in the Paths tab, click the
horizontal ellipsis of a path, and then select Remediate. To create a rule, select Remediate Rule.

Steps to define ThreatPath rules

1 In Attivo Cloud, go to Configuration | Endpoint Policies | ThreatPath.

Any existing ignore and remediation rules are displayed.

2 To add a path, click Add.

Table 12-2 Create a ThreatPath rule

Field Description
Name Provide a name for identification purposes.
Action Select one of the following:
• Ignore. Select to exempt paths from being displayed. See Paths to be ignored.
• Remediate. Select to remediate saved credentials or folder shares. See Remediation
rules.
Enable Use this option to enable or disable the ThreatPath rule as required. Only enabled rules are
executed during ThreatPath analysis.
Source Specify the parameter for the source of the path.
• Any: Select this if you do not want to set a specific criteria for the source of the path.
• AD domain: The AD domain of the user logged on to the source endpoint - not the
endpoint’s domain. Specify the FQDN. For example: mycompany.com
• AD group: The AD group of the user logged on to the source endpoint. For example:
mycompany.com\sales
AD domain and AD group options are not supported for remediation and ignore rules.
• AD OrgUnit: Use this to specify the organizational unit of the user logged on to the
source endpoint. For example: mycompany.com\northamerica
• Host name: The computer name of the source endpoint. For example:
mycompany.com\jdoe-pc
• IP/CIDR: Enter an IPv4 address or CIDR for the source endpoint. Example for CIDR:
192.0.2.0/24
Select the required operator from the list.
Then, in the next box, enter the value. You can enter multiple values separated by a
comma. The values you enter is based on the parameter and the operator you select. Note
that you must enter AD domain, AD group, and AD OrgUnit in the specified formats.
Consider the parameter is Hostname, the operator is contains, and the value is jdoe.
Then, the rule hits if the host name contains the string jdoe.

190 Attivo Cloud User Guide

 ThreatPath
How to deploy ThreatPath? 12

Table 12-2 Create a ThreatPath rule

Field Description
• Source, Destination, Credential, and Exposure are the categories under which you can specify the values.
• For a rule to hit, at least one value of all the categories must match. That is, an AND condition applies across
the categories.
• For each category, you can specify multiple parameters like AD domain, AD group, and so on. For example, for
the source category, you can specify host name and an IP address. Within each parameter OR condition applies.
For example, you can specify the source host name to match as mycompany.com\jdoe-pc and the source IP
address as 192.0.2.10. Then the rule hits if either of these values match.
• For each parameter, you can enter multiple values separated by a comma. Within each parameter, OR condition
applies. For example, you can specify HR-SERVER and FIN-SERVER as the value to match for the destination
host name. The rule hits if the destination is one of these servers.

Destination Similar to the source, specify the criteria for the destination of the path.
• Except for any, the destination endpoint must be a managed endpoint for Attivo Cloud
to verify the criteria.
• The AD domain, group, and OU apply to the user logged on to the destination endpoint
and not the destination endpoint.
Credentials Specify the criteria for saved credentials or credentials used for an active session.
In case of remediation rules, specify the user name for saved credentials.
Exposure Set the criteria for the type of path. Note that the exposures are listed based on the rule
type.
Remediation rule is not supported for SMB critical share and same password. An SMB
critical share can be remediated in multiple ways. For example, the privileges of the
corresponding user can be reduced from write to view, or the sharing itself can be
removed. Because ThreatPath does not know your preference, remediation rule for SMB
critical share is not allowed. Similarly, remediation of same password is also not allowed.
However, you can manually remediate an SMB critical share exposure from the Paths tab.

Note: For AD-based criteria for source, destination, and credential, the Attivo Cloud queries the AD DS you
defined in the Active Directory page.

3 Click Save.

• If you edit or add an ignore rule, the changes immediately reflect in ThreatPath.

• Consider 4 nodes - E, F, G, H. You have defined the path between E and H as an ignore rule.
ThreatPath detects paths from E to H, E to F, F to G, and G to H. In this case, only the E to H path
is ignored.

• When you add, modify, or delete a rule, the ThreatPath analysis engine analyzes the current data
and redraws the paths immediately. This analysis and the regular analysis cycles are independent
of each other.

Attivo Cloud User Guide 191

12 ThreatPath
How to deploy ThreatPath?

Customizing path vulnerabilities

Paths are the types of exposures that ThreatPath detects. You can customize the path definitions in the
following ways: enable just the required definitions and change the severity as required.

Important: If you disable a definition in the policy, then ThreatPath does not display the corresponding
path.

Note: If you deploy Attivo Endpoint Application in service mode, the changes you make to the path
definitions are automatically applied at the next update interval. If you deploy Attivo Endpoint Application in
non-service mode, you must generate and re-install Attivo Endpoint Application on the corresponding
endpoints for the changes to take effect.

Customize path definitions

The Path Vulnerabilities tab lists all the exposures for which paths are displayed. You can enable just
the required ones.

Note: The Lateral Movement using SMB Saved Credential path is disabled by default. This is because saving
SMB credentials on endpoints is a common activity, which may result in ThreatPath displaying all such paths.

Steps:
1 In the Attivo Cloud, go to Configuration | Endpoint Policies | ThreatPath | Path
Vulnerabilities.

2 Select the path you want to customize and click Edit.

3 Change the status (enable or disable) or the severity as required and click OK.

Note: ThreatPath displays the paths of higher severity on top.

4 To remove all customization to path definitions, click Reset.

Configure the ThreatPath advanced features

Advanced features include the configurable settings for the Attivo Endpoint Application and the
ThreatPath analysis engine.
Steps:
1 Go to Configuration | Endpoint Policies | ThreatPath | Advanced Configuration.

2 In the Endpoints section, configure the settings for Attivo Endpoint Application.

These settings apply to all Attivo Endpoint Application across Protection Policies. For existing
installations, these settings apply at the next update interval.

192 Attivo Cloud User Guide

 ThreatPath
How to deploy ThreatPath? 12

Table 12-3 Attivo Endpoint Application settings for ThreatPath

Field Description
Update frequency This field is applicable only if you deploy Attivo Endpoint Application in service mode.
Specify how frequent the Attivo Endpoint Application should send ThreatPath-related
updates about the endpoint to Attivo Cloud.
Default value is 720 minutes.
Send passwords Select this option to detect common local user passwords on multiple endpoints.

Note: Attivo Endpoint Application and Attivo Cloud neither store or transmit local user
password hashes.

The process followed to detect common passwords is as follows:

1. Attivo Endpoint Application generates a strongly encoded string. This string is unique to
each subscriber (tenant) in Attivo Cloud.
2. Attivo Endpoint Application uses AES to encrypt the local user password hash.
3. Using the encrypted-password-hash from step 2 as the key, Attivo Endpoint Application
encrypts the unique string from step 1.
4. The encrypted string from step 3 is sent to the Attivo Cloud.
If the encrypted strings from different endpoints match, then it indicates a common
password being used for the local user.

3 In the ThreatPath Analysis section configure the settings related to the ThreatPath analysis engine.

Table 12-4 Settings for ThreatPath analysis engine

Field Description
Analysis frequency Specify how frequent the ThreatPath analysis engine should analyze the data and recreate
the paths. This is the frequency at which the ThreatPath analysis engine analyzes the
current data available in the Attivo Cloud and recreates the paths.
Analysis is also triggered every time you make configuration changes to the fields in the
ThreatPath Analysis section.
To trigger analysis immediately, click Trigger Analysis at Analysis | Endpoints |
ThreatPath. Triggering analysis manually does not affect the scheduled analysis as per
Analysis frequency.
Refresh AD cache The data sent by Attivo Endpoint Application as per the Update Frequency can include
duration AD user details. Attivo Cloud queries the AD to find the OU and group details of these AD
users. Attivo Cloud uses the group and OU details for correlation and reporting purposes.
Refresh AD cache duration is the TTL for the queried OU and group details.

When this TTL expires, Attivo Cloud queries the OU and group details of the AD users last
reported by Attivo Endpoint Application. This setting applies only to the AD users reported
by Attivo Endpoint Application for ThreatPath.

4 Click Save.

Scenario to explain how ThreatPath configuration works:

Consider a configuration as below:
Update frequency: 60 minutes
Analysis frequency: 120 minutes (assume the current time is 1200 and the next analysis is due at
0200 hours)
Update interval: 8 hours (this option is available in the Global Settings tab of the corresponding
protection policy).
Scenario: On Endpoint-B, you install Attivo Endpoint Application for all users in service mode (/ia and /
service parameters) at 1601 hours

Attivo Cloud User Guide 193

12 ThreatPath
How is information structured in ThreatPath?

1 Attivo Endpoint Application collects the required endpoint and current-user information and sends it
to Attivo Cloud.

2 Another user logs on at 1610 hours. Attivo Endpoint Application collects information for this user as
well and sends them to Attivo Cloud.

3 At 1700 hours, Attivo Endpoint Application updates the Attivo Cloud with endpoint and user
information.

4 Though the Attivo Cloud has the required information, it draws the paths only at 1800 hours for both
the users.

5 At 2000 hours, Attivo Endpoint Application checks with Attivo Cloud for any changes in configuration
to the corresponding endpoint features.

How is information structured in ThreatPath?

You need to adjust the visualization settings in ThreatPath based on the information you require. For
example, you might want a bird's-eye view of the attack paths across all segments of your network, or
you might want to focus on exposures related to a specific OU. This section discusses how you can use
ThreatPath to discover the risks and vulnerabilities in your network.
Some of the questions that ThreatPath can answer for you:
• What are the privileged accounts, service accounts, and shadow admins created in the last 30 days
for example?

• Are privileged AD user credentials saved in any of the endpoints?

• Are there any active sessions for privileged user accounts? Because any attacker inside will target
such clients to take over the AD.

• Is the built-in administrator saved or logged in from any endpoint?

• What are the exposures related to credentials of IT engineers?

• Which endpoints belong to which OUs?

• Which are the workgroup endpoints?

• What are the potential attack paths between OUs?

• Potential attack paths between endpoints

• When was each potential attack path discovered first and when was it observed last?

• What are the real and deceptive credentials stored on the managed endpoints? (Analysis |
Endpoints | Managed Endpoints | Actions | Credentials)

ThreatPath displays information in 2 tabs:

• Summary - This is the ThreatPath dashboard.

• Paths - Details the exposures (attack paths) in a card-view.

Understanding the Summary tab

The Summary tab is your ThreatPath dashboard, which provides a bird's-eye view of all the exposures
detected in your network. The Summary tab consists of counters and charts.

194 Attivo Cloud User Guide

 ThreatPath
Understanding the Summary tab 12

Note: All the data displayed in ThreatPath is for the selected time period. The time-period selection in the
Summary tab functions the same way as First Seen filter in the Paths tab. See What does First Seen imply?

Counters
The counters list the exposures discovered during the time period along with the count for each. These
exposures include lateral-movement paths, critical AD credentials (created in the AD servers), as well
as exposures like SMB shared folders for which paths are not applicable.
Paths are detected only for those definitions that are enabled at Configuration | Endpoint Policies |
ThreatPath. Details are also provided in the Paths tab for exposures like Same Password Paths
Detected and the critical AD credentials queried from the production AD servers. Click on the count to
view the details in the Paths tab. For exposures for which paths don’t apply, the details are shown in
the tabular format.
The counters displayed in the Summary tab are explained in the following sections.

Impacted endpoints
This is the percentage of endpoints involved in exposures. The formula used to determine the value is:
[(Number of impacted endpoints / Total number of endpoints on which ThreatPath is
installed) * 100]
In the example shown below, the risk score of 40% indicates that 40% of the endpoints are involved in
exposures compared to the total number of endpoints on which you have installed ThreatPath.

ThreatPath determines the health based on the risk score:

• If risk score is > 95, then your network is at a very high risk for attacks.

• If risk score is > 70 but <= 95, it is at high risk.

• If risk score is > 50 but <= 70, it is at medium risk.

• If risk score is >30 but <= 50, it is at low risk (as shown in the example above).

• If risk score is > 0 but <= 30, it is very low risk.

• If risk score is not available or computable, then it is marked as Unknown.

Note:
• The count of endpoints involved in exposures (that is, the count of impacted endpoints) is calculated
as follows: It is the sum of unique source and destination host names (not IP addresses). If an
endpoint is unmanaged, then it is not counted. For example, if there is a path from endpoint A to
endpoint B, where only one of these endpoints is managed, then for this path, the impacted endpoint
count is just one.

For the impacted endpoints count, source and target endpoints of the lateral-movement paths are
considered. Also, both must be managed endpoints. The paths related to AD data (critical AD
accounts) are not considered.

Attivo Cloud User Guide 195

12 ThreatPath
Understanding the Summary tab

• In the paths, if All Computers is displayed as the Target, then it indicates that all the endpoints in
the domain/forest are impacted. This is because an attacker can use the privileged user’s credentials
present in the source host to virtually move to any other endpoint within the domain or forest.
However, even in this case, it is counted as just one endpoint when calculating the Impacted
Endpoints count.

• If an exposure is remediated, the corresponding path is removed in ThreatPath only at the next
ThreatPath analysis. Therefore, the impacted endpoints count also reduces accordingly only at the
next analysis. Click Remediate to open the Remediation Report, where you can view the details of
remediated endpoints.

Active Directory
This section shows the count of critical and vulnerable AD objects on your AD servers.

Critical AD accounts queried from the AD servers

The Attivo Cloud queries the configured AD servers at the configured refresh interval as per the settings
at Configuration | Active Directory | AD Configuration.

Note: Click on Privileged Accounts to view the count displayed against Total. Similarly, click on the other 2
object type to view the count. Click on the count value to view the details in the Paths tab.

Attivo Cloud queries for the following details:

• Privileged accounts - This is the count of user objects in any of the following security groups.
Account operators Enterprise admins Group policy creator owners
Administrators Domain admins Schema admins

The entire organization’s network and resources can be compromised by exploiting such high
privileged users.

Note: For the Privileged Accounts counter, ThreatPath considers all the above security groups. However,
to show the path details for privileged accounts, ThreatPath considers only the enterprise and domain
admin groups.

If a user account belongs to multiple security groups, then the account count does not increment
but the group membership count increments accordingly. If the same domain user is in different
domains, then the user account is considered separately for each of those domains. For example,
winter.com trusts summer.com, and jdoe@summer.com is a privileged user in both these
domains. Then, jdoe@summer.com is considered separately for summer.com and winter.com.

• Service accounts - Both managed and unmanaged service accounts are factored in. It is the count of
user and computer accounts with at least one SPN.

196 Attivo Cloud User Guide

 ThreatPath
Understanding the Summary tab 12

• Delegated admins (users with ACLs) - This is the count of user accounts with any of the following
privileges:
Allowed to authenticate Change password Full control
Modify owner Modify permission Read & write group membership
Receive as Replicate directory changes Replicate directory changes all
Replicate directory changes in Replicate synchronization Reset password
filtered set
Send to Unexpire password
Send as
Write Write GP Link
Write member of Write GP Options Write msDS-Allowed to Delegate
Write password last set to
Write user account control
Write msDS-PrincipalName Write user password
All validated writes
Write all properties All extended rights

The count of service accounts and the total count of all the permissions are displayed.

Stale Accounts
This is the count of user accounts not logged on, expired, or locked out for at least the last 30 days.
Consider that you select year as the time period and the stale account count is 100. This means that
there are 100 user accounts who were first detected to be stale in the last 365 days, and they are still
stale as per the last ThreatPath analysis.

Note: User accounts where sAMAccountType=805306370 are ignored when detecting stale accounts.

No password expiry
This is the count of user accounts that have the Password never expires attribute set.

Endpoint Exposures
This section contains the counters for certain exposures, which attackers can exploit to take control of
the corresponding endpoints. These exposures do not have a specific target endpoint. However, these
are vulnerabilities, which attackers commonly attempt to exploit.
Because these exposures do not have a specific target endpoint, paths are not applicable. You also
cannot disable (customize) these exposures in ThreatPath. Click on the count to view the details of the
exposure in a dialog box. For Same Password, you can view the details in the Paths tab.

SMB shared folders

This is the count of SMB shared folders on managed endpoints (not the count of endpoints with SMB
shared folders). This exposure includes SMB critical share as well. Note that the shared folders
discovered during the selected time period are shown.

SMB mounted shares/drives

This is the count of SMB mounted shares with or without associated drive letters. Deceptive
(ThreatStrike) network shares and mounted drives are not included.

Local admin accounts

This is the count of privileged local users detected on the managed endpoints during the selected time
period. In case of Linux and Mac, users with sudo privilege are considered. In case of Windows, users
belonging to the local administrators group are considered.
• The detected users need not be logged on to the endpoints.

• To be able to detect local admin account users, you must install Attivo Endpoint Application in service
mode.

• First Seen indicates when Attivo Endpoint Application first sent the corresponding data to Attivo
Cloud for the first time during the selected time period.

Attivo Cloud User Guide 197

12 ThreatPath
Understanding the Summary tab

Local service accounts

The count of user accounts used to run services on managed Windows endpoints.
• The running status of the service is not factored in.

• Understanding the Paths tab

Same Password
This is the count of instances wherein the same user name and password pair is configured on various
endpoints. For example, if jdoe/password1 is configured as a local user/password on 10 endpoints, then
the count is 10. However, if hwilliams/password1 is configured on one of these endpoints, then this
does not increase the count because the user name is different.
IT staff generally use a local administrative account to access endpoints for troubleshooting,
installation, and maintenance purposes. It is common for IT staff to set the same password for local
administrative accounts on endpoints across the organization. It is also common for users to set the
same password for local user accounts on all the endpoints that belong to them. Though this practice
can help to remember just one password to access multiple endpoints, it is one of the most common
vulnerabilities exploited by attackers.
Attivo Endpoint Application collects the password hashes of local users defined in the corresponding
endpoint and sends it to BOTsink. ThreatPath checks if a local user password is shared across any other
endpoint. If found, ThreatPath displays a two-way path between the corresponding endpoints. You
should have configured Send Passwords option in Configuration | Endpoints | ThreatPath |
Advanced.

Note: Attivo Endpoint Application and BOTsink neither store or transmit local user password hashes.

Lateral movement paths

This section lists the exposures that enable lateral movement to specific targets. The count for such
exposures are displayed. Click on the count to view the path details.
The counts (and paths) are available only for those enabled exposures at Configuration | Endpoint
Policies | ThreatPath | Path Vulnerabilities. Paths are also drawn for exposures based on critical
AD credentials.
The total number of lateral-movement paths for the selected time period is displayed. This count
matches with the number of attack paths in the Paths tab for the same time period. However, in the
Paths tab, the details are grouped by parameters and you need to drill down to see the individual paths.
This count does not include path records corresponding to Same Password exposure.
You can also view the details in a pie chart. Point to or click on a pie to view the corresponding path
details.

Privilege Account Access

A privilege account access represents a path, which may not exist currently. However, an attacker can
discover and exploit this vulnerability with some reconnaissance.
ThreatPath provides path details for the following privilege account access exposures:

198 Attivo Cloud User Guide

 ThreatPath
Understanding the Summary tab 12

• Exploiting enterprise admin credentials: Members of enterprise admin group have full access to all the
trusted domains in the same forest. If such a user is logged on in the network, an attacker can steal
those credentials. With some more reconnaissance, the attacker can understand the AD layout and
access any endpoint belonging to trusted domains in the forest.

• Exploiting domain admin credentials: Members of domain admin group have full access to the
domain. If such a user is logged on in the network, an attacker can steal those credentials. With some
more reconnaissance, the attacker can understand the AD layout and access any endpoint in that
domain.

• AD user or AD group added as a local admin user: A common misconfiguration is to add an AD user
or AD group as a local user on endpoints. Consider that a user has added mycompany\jdoe as an
administrative local user on JBOYCOTTLAPTOP. Currently, mycompany\jdoe is logged on to jdoe-PC.
If attackers compromise jdoe-PC, they can get access to JBOYCOTTLAPTOP with administrative
privileges. For this path, you must install Attivo Endpoint Application on both the source and target
endpoints.

• AD user or AD group added to local RDP group: ThreatPath draws a privilege account access path if
an AD user or AD group is added to the Remote Desktop Users group and a corresponding user is
logged on in the network.

AWS
To make programmatic calls to AWS API or to use the AWS CLI, users use the access key ID and secret
access key. These access keys are stored in a file for each user. From a compromised endpoint, an
attacker can access the AWS resources using these keys. When AWS access keys are detected on an
endpoint, a path is shown from the endpoint to aws.com.

Database
Users save database connection details in their database tools. From compromised clients, attackers
can exploit the saved credentials to escalate the attack to databases. Database paths indicate such
exposures from clients to database servers.
Note:
• Database paths are displayed only from Windows endpoints to MySQL and Microsoft SQL Server
databases. Other client operating systems and databases are not supported.

• In case of MySQL, the only supported client for ThreatPath is MySQL Workbench. The connection must
contain the hostname, username, and password.

• In case of Microsoft SQL Server, the only supported client for ThreatPath is ODBC Data Source
Administrator.

For the path to be drawn, the login ID must be saved when adding the File DSN. Therefore, one of
the options highlighted below must be used.

Attivo Cloud User Guide 199

12 ThreatPath
Understanding the Summary tab

• The path for both MySQL and Microsoft SQL is called Database.

• For the path to be displayed, a successful connection must have been established at least once. Also,
Lateral movement using database path definition must be enabled at Configuration | Endpoint
Policies | ThreatPath | Path Vulnerabilities.

SMB exposed credentials

This is the count of paths due to saved SMB credentials. ThreatPath displays an SMB path derived from
saved credentials when:
• A system has a shared folder with access to a saved credential, and that saved credential is exposed
in the credential manager to any other system.

• A system has a shared folder with access to a saved credential, and that saved credential is used to
logon to any other system.

The Shared folders that ThreatPath considers to draw SMB paths are %SystemRoot%, %WINDIR,
%SYSTEMDRIVE%, %PROGRAMFILES%, %COMMONPROGRAMFILES%,
%SYSTEMDRIVE%\Program Files, %SYSTEMDRIVE%\Program Files (x86), and all paths under
%PATH% environment variable.

Note: Because saving SMB credentials is common, by default, the Lateral movement using SMB saved
credential exposure definition is disabled. You can enable it from Configuration | Endpoint Policies |
ThreatPath | Path Vulnerabilities.

SMB critical paths

Users might share a system folder or an entire drive to AD users or AD groups. If a corresponding AD
user is logged on to a different endpoint, then attackers on that endpoint can rename or replace
executables and compromise the endpoint with the shared folder. For such cases, ThreatPath draws a
path from the remote endpoint to the endpoint on which a system folder is shared. Note that this path
is drawn only if the corresponding AD user has write permission.
For example, mycompany.com\vimsh is currently logged on at jdoe-PC, and this user has write access
to a shared folder in the C drive (C:\shared) of JBOYCOTTLAPTOP. So, a path is shown from the source
(jdoe-PC) to the target (JBOYCOTTLAPTOP).
ThreatPath processes for SMB critical paths only if Lateral movement using SMB critical share definition
is enabled at Configuration | Endpoint Policies | ThreatPath | Path Vulnerabilities.

RDP saved credentials

This is the count of paths due to saved RDP credentials. ThreatPath displays an RDP path derived from
saved credentials when:
• User credentials are saved in the credential manager. The target endpoints may or may not have
Attivo Endpoint Application installed on them.

• User is allowed in local RDP groups for an endpoint and user credentials are exposed on some other
endpoint.

• User is allowed in local RDP groups for an endpoint and some other endpoint logged in with these user
credentials.

• Active logged on RDP sessions on endpoints. The source or target endpoint may or may not have
Attivo Endpoint Application installed on it.

For example, the RDP credential for 10.x.x.195 (mycompany.com\rcollins) is saved at

JBOYCOTTLAPTOP. So, a path from JBOYCOTTLAPTOP (source) to 10.x.x.195 (target) is displayed.

200 Attivo Cloud User Guide

 ThreatPath
Understanding the Summary tab 12

RDP memory credentials

This is the count of paths due to active RDP connections. The Attivo Endpoint Application may be
installed on the source or destination to detect this exposure. If the source endpoint is compromised,
then the attacker can access the target through the active session.

Note: For both the RDP-based exposures, the Lateral movement using RDP path definition must be enabled
at Configuration | Endpoint Policies | ThreatPath | Path Vulnerabilities.

SSH
This the count of paths where the underlying protocol is SSH. The SSH paths are drawn from Windows,
Linux, or Mac clients to servers that listen for SSH. Users might save the credentials in their SSH clients
or use key-based authentication. When a client is compromised, attackers can steal the private key as
well as the corresponding IP address and user name related to that private key.
ThreatPath detects the SSH paths only if Lateral movement using SSH definition is enabled at
Configuration | Endpoint Policies | ThreatPath | Path Vulnerabilities.

SSH paths in case of Windows clients

In case of Windows clients, paths are detected for both credential and key-based authentication. For
credential-based authentication, the path is detected only when the following conditions are met:
• The SSH client used is PuTTY.

• The Host Name (or IP address) field contains the user name saved in the following format:
user_name@server_name or user_name@IP_address

Note: Saving the user name as part of the host name (or IP address) is mandatory for the path to be
detected.

Figure 12-2 SSH credential stored in PuTTY client

In case of key-based authentication, the following conditions must be met for the path to be detected:
• The Host Name (or IP address) field contains the user name saved in the following format:
user_name@server_name or user_name@IP_address

• The location of the private key is saved in the Private key file for authentication field under
Connection | SSH | Auth.

Attivo Cloud User Guide 201

12 ThreatPath
Understanding the Summary tab

SSH paths in case of Linux and Mac clients

SSH paths are detected from Linux and Mac endpoints only if the following conditions are met:
• Paths are detected only for key-based authentication.

• The user must have accessed the server from the bash shell in the following format:

Format: ssh <user_name>@<server name> or <IP address> -i <complete path to the private
key>

Example: ssh jdoe@192.0.2.10 -i ~/.ssh/id_rsa

• The user’s bash_history file shows an corresponding entry for the SSH access.

VPN
From a compromised client, attackers can harvest the saved VPN connection details. A VPN path
indicates an exposure from a client to a VPN server.
VPN paths are detected if the following conditions are met:
• VPN paths are displayed only from Windows endpoints.

• Only the Windows (built-in) VPN client is supported.

• The saved VPN details must contain the user name configured.

Web
ThreatPath displays an FTP or HTTP path derived from saved credentials. The path derived from a saved
web credential on an endpoint to an internal FTP or HTTP server is referred to as Web internal. This
internal server may or may not have the Attivo Endpoint Application installed on it.
For example, the credentials for admin of the Web application hosted on 192.168.2.10 is saved at
JBOYCOTTLAPTOP. So, a path is displayed from the source JBOYCOTTLAPTOP to the target
192.168.2.10.
ThreatPath detects this path only if Lateral movement using Web-internal hosts definition is enabled at
Configuration | Endpoint Policies | ThreatPath | Path Vulnerabilities.

Charts
The charts displayed in the Summary tab are explained in the following sections.

202 Attivo Cloud User Guide

 ThreatPath
Understanding the Paths tab 12

Top 5 credentials
This bar chart shows the count of the 5 most saved user names (saved credentials). Click on a bar to
view the details in the Paths tab. With this chart, you can determine the reason behind the most
number of exposures due to saved credentials. You can also determine which are required and which
can be remediated. You can also verify if any of these credentials are of high-value like that of an IT
admin or domain admin.

Paths Discovered vs Remediation

This chart shows the count of detected and remediated lateral-movement paths with a time reference.
For example, if you select week as the time-period, the chart displays the count in daily buckets. Point
to a bar to see the count.
The count of remediated paths is the count of exposures that were remediated (not the count of
remediated endpoints). For example, if 4 credentials are remediated on the same endpoint, then the
count is 4.
The x-axis of this chart shows the time buckets based on the time period you select. If you select year,
then the x-axis shows monthly buckets for the last 12 months. Similarly, for month and week, the x-
axis displays weekly and daily buckets respectively. If you select day, then the x-axis shows 4-hour
buckets.

Credentials per endpoint

This chart shows the average number of credentials (real plus deceptive) per managed endpoint in your
network. For Attivo Cloud to factor in deceptive credentials, you must deploy Lures.
Attivo Cloud computes the number of real and deceptive credentials on the managed endpoints. Then a
graphic representing the average number of real plus deceptive credentials per endpoint is displayed.
Consider endpoint-1 has only Lures deployed (no ThreatPath). There are 5 deceptive credentials
installed on endpoint-1.
Endpoint-2 has only Lures deployed and there are 10 deceptive credentials.
Endpoint-3 has both Lures and ThreatPath deployed. There are 5 deceptive and 4 real credentials.
Endpoint-4 has only Lures and there are 8 real credentials.
The average total credentials is (5 + 10 + 5 + 4 + 8)/4=8. That is, the total number of real and
deceptive credentials divided by the number of endpoints on which Attivo Endpoint Application is
installed.

Understanding the Paths tab

The Paths tab shows the path details in a card-view format for the following:
• Lateral movement paths.
• Critical AD accounts queried from the AD servers.

• Same Password exposure.

You can expand a card and then drill down to the individual path for the details of the exposure.
See:
Viewing paths in the card visualization
Viewing the details of an exposure

Attivo Cloud User Guide 203

12 ThreatPath
Understanding the Paths tab

Viewing paths in the card visualization

The card visualization provides options to group, filter, and sort the information, which can enable you
to find quick answers. For example, you can assess the security of a server farm by finding out the
paths and the corresponding credentials for each path. With this information, you can further improve
the security posture.
To view ThreatPath information in a card/tabular format, go to Analysis | Endpoints | ThreatPath |
Paths.

Note: Per subscriber, ThreatPath can display up to 225,000 paths with upper limits for each exposure.

Similar to the Summary tab, the data displayed in the Paths tab is too is based on the selected time
period. In the Paths tab, you select the time period using the First Seen filter. By default, the Paths tab
opens with the First Seen set to Month.
What does First Seen imply?
You can select year, month, week, day, or hour. Year, month, week, day, and hour correspond to the
last 365 days, 30 days, 7 days, 24 hours, and 60 minutes respectively from the current date and time.
When you select the time period, the ThreatPath data first detected during that time period and still
valid are displayed. For example if you select week, the Paths tab shows the exposures first detected
in the last 7 days and still exist as per the last analysis. However, exposures that do not exist at the last
analysis are not displayed.

Generic options in the Paths tab

Actions:
• Add rule: Create an Ignore or Remediation rule. See Define the ignore and remediation rules.
• Export: Export the currently displayed data to a CSV file.

• Remediation report: Click to access the Remediation report.

• Delete all: This deletes all the exposures-related data sent by Attivo Endpoint Application, but not the
AD-related data collected by Attivo Cloud. So, all the data related to Lateral movement paths and
Endpoint Exposures are deleted. This has a corresponding effect on the data displayed in the
Summary and Paths tabs. Click the refresh icon after you click Delete All.

At the next Update Frequency, the Attivo Endpoint Application instances send the current
exposures-related data. Attivo Cloud analyzes this data as per Analysis Frequency and displays the
detected exposures.

204 Attivo Cloud User Guide

 ThreatPath
Understanding the Paths tab 12

Understanding the card view

The paths are segregated initially in the card view. You can drill down to the tabular view for the
individual paths. You can also create ignore or remediate rules (as applicable) for the paths displayed.
For example, you can create these rules only for paths based on endpoint data and not for paths based
on AD data. You can also export the entire set of results or a specific group of paths to a CSV file.

Item Number Description

1 and 2 By default, the paths are grouped by credentials and sorted by target. With this default
view, you can find out the high-value credentials which have been exposed in your
network.

Important: The Paths tab always defaults to, First Seen: Month, Group By: Credential
and Sort By: Target. That is, the view settings and filters you select are not preserved if
you revisit the tabs in ThreatPath.

3 Expand to view the individual paths for this credential.

4 Following are the possible values for Detection Type. A credential can have more than one
Detection Type too. For example, a credential can be a privilege account as well as exposed
at some endpoint. Then, this field displays AD Privilege Accounts | Paths.
• Paths: Indicates these are lateral-movement paths detected based on the credentials
and active sessions on endpoints.
• AD Privilege Accounts: Indicates that the credential belongs to domain admin or
enterprise admin security group in AD.
• AD Service Accounts: Indicates that the credential is a service account (can be
managed or unmanaged).
• AD ACLs: Indicates these are delegated admins (AD users with ACLs or shadow
admins).
5 Shows the endpoint to which an adversary can move to. If Multiple is displayed, then it
indicates that the credential has access to multiple target servers, which all are at risk.
Expand to view the individual target endpoints in the paths.
6 This Reason field indicates the severity (red for high, yellow for medium, and blue for low)
as well as the summarized narrative for the group of paths. Point to the colored circle to
see the severity.

When you expand the grouped paths (#3 above), the individual exposures are listed. Here is an
example of detection type -path.

Attivo Cloud User Guide 205

12 ThreatPath
Understanding the Paths tab

Item Description
1 For the individual paths, the Detection Type shows the exposure type with the source of
the path in parenthesis.
2 Indicates the target of the path. Note how the target of the group is displayed as Multiple
because the individual paths target more than one endpoint.
3 Indicates when ThreatPath first detected this exposure. Note that other factors also
influence this value. For example, if you re-install Attivo Endpoint Application today, then
this value will change accordingly.
4 The narrative for the path.
The severity of the individual paths is based on the severity for the paths.
Horizontal ellipsis in Click to remediate immediately or to create the required rule for the path.
the Actions column

• Here is an example of detection type - AD privilege accounts

The Detection Type column shows the AD groups in which the credential is member of. The Target
column shows the impact. Reason column provides the severity and detailed narrative.

Note: For AD-related paths, the severity is as per default and you cannot customize it.

• Here is an example of detection type - AD service accounts

The service accounts can be managed or unmanaged. If service account name is truncated (under
Credential), click Details or see the Reason column. The target shows the SPNs defined in the
service account.

Pivoting the ThreatPath data

The main advantage with the card visualization is that you can pivot the data using the Group By
option. This enables you to visualize the exposures from different aspects. The value you select for
Group By alters the column headings accordingly when you expand an item in the card view.
• Credential: Groups paths under credential. For example, you can find out the paths for each domain
administrator detected in the last 7 days. Therefore, you can be up-to-date regarding the security of
the “crown jewels” of your AD infrastructure.

Credentials can be of 3 types:

206 Attivo Cloud User Guide

 ThreatPath
Understanding the Paths tab 12

• Credential used to log on to the source endpoint. For example, you logged on to endpoint-A as jdoe
and jdoe has access to endpoint-B as well through a supported service (like RDP or Web).

• Saved credential. You logged on to a managed endpoint-A, and on this endpoint, you saved the
credentials for a supported service to access endpoint-B.

• Active session. You logged on to a managed endpoint-A and then connected to endpoint-B over a
supported service.

• Target: For example, you can check if there are any paths to each of the critical servers of your
organization.

• Severity: You can find the paths grouped based on severity - high, medium, and low.

• Permission Name: For example, you can find out what are the AD credentials with Reset Password
ACL and what are corresponding targets for each.

Using the Group By and Sort By in tandem, you can further tune the display. For example, you can find
group by credentials and sort by targets.
In addition to pivoting options, you can use the Sort By options based on where you want to focus first.
Filtering the ThreatPath data
You can use the filtering options to define the paths to be displayed. The following filtering options are
available in the card visualization.
• Filter by Severity. For example, you can view just the high-severity paths.

• Filter by - You can select one or more parameters listed below. When you select a parameter, the
relevant values from the database are listed. You can select one or more of these values.

Consider that you want to filter the paths originating from a specific endpoint to the computers in
a specific OU. To do so:

a Select Source IP from the Filter By list.

b The available source IP addresses are listed with their counts in parenthesis.

You can select one or more values. If you select multiple values for a parameter, then OR
condition applies.

c Similarly select Target OU from the list and select one or more values.

If you select multiple parameters, AND condition applies between them. For the same
parameter, if you select multiple values, OR condition applies.

Only the data matching the criteria are displayed. Click Clear all to clear the filters (does not
impact other view options).

You can also enter a keyword as a filter. For example, to search for paths involving Jordan, just click in
the box and enter Jordan.
Some of the parameters available in Filter By are explained below:
• Password Not Reset (Time): This filter is relevant for AD data. View the credentials for which the
password reset has not happened in the last X time period. For example, view the privileged accounts
for which password has not been reset in the last quarter.

• Last Logged in (Time): This filter is relevant for AD data. Filter based on last logged on as per the data
in the AD. For example, use it to view the credentials, which can be disabled or deleted in the AD.

• Detection Type: Use this filter to view endpoint-based paths or AD-based paths.

• Created Time

Attivo Cloud User Guide 207

12 ThreatPath
Viewing the Credentials Report

• Target (other)

Viewing the details of an exposure

You can expand a record in the card view to view the individual paths in that group. These individual
paths are displayed in the tabular format.
To view all the paths, download the entire set of paths as a CSV file.
Each row in an expanded card represents a path. If a credential is stored in both the endpoints and that
can be used to access the other, two paths are displayed in 2 separate rows.
• If ThreatPath analysis is currently in progress, the old paths are shown until the current paths have
been computed. If there are more than 25,000 paths, then the first set of 25,000 paths is shown. The
tabular view is then incremented in sets of 25,000 paths until all the paths are computed.

• If you see All Computers displayed as part of the Destination Hostname, then that row represents
a privilege account access involving a privileged user such as an enterprise admin or a domain admin.
This row indicates that an attacker can use the privileged user’s credentials present in the source host
to virtually move to any other endpoint within the domain or forest.

Viewing the Credentials Report

For managed endpoints with ThreatPath configured, you can generate a credentials report, which
contains the real and deceptive credentials segregated as per service. For example, you can find the
deceptive credentials installed for RDP, SMB, and so on. You can also find the real credentials saved on
this endpoint segregated by service. You can also find the local and domain credentials saved on this
endpoint. This report also lists the vulnerabilities (misconfigurations) detected by ThreatPath. All these
details are as per the last ThreatPath analysis. For example, if a vulnerability detected at the last
ThreatPath analysis is rectified, then that vulnerability is not listed at the next analysis.
To generate the Credentials Report, go to Analysis | Endpoints | Managed Endpoints. Select an
endpoint that has ThreatPath installed and click Actions | Credentials. The credentials marked as
(R) are real and correspond to ThreatPath and those marked as (D) are deceptive and correspond to
ThreatStrike.
Note:
• Consider you have configured only ThreatStrike but not ThreatPath and installed Attivo Endpoint
Application on the endpoints. Then, when you point to the corresponding endpoint icon in ThreatPath,
you can view only the following:

• The user name logged on to the endpoint.

• Local users defined in the endpoint.

• ThreatStrike deceptive credentials installed on the endpoint.

• ThreatPath displays the credentials regardless of whether there are paths to the managed endpoints.

• ThreatPath displays the credentials even if the user is currently logged off from the endpoint.
However, logged off users are not considered for ThreatPath analysis (for displaying the paths).

• Amber dot (with letter D) indicates that it is a deceptive one and blue dot (with letter R) indicates that
it is a real one.

• For Windows endpoints, only the deceptive credentials are displayed for some of the applications,
whereas for some other applications both deceptive and real credentials are displayed. Refer below
lists for the information.

Both deceptive and real credentials are displayed for the following applications.

208 Attivo Cloud User Guide

 ThreatPath
Remediation through ThreatPath 12

• Mozilla Firefox

• Google Chrome

• Internet Explorer (Web based authentication)

• Explorer (Common Internet File System File Share Client)

• Mstsc (Remote Desktop Protocol Client)

• MySQL workbench

• ODBC DSN (MS SQL)

• Windows Native VPN (VPN)

Only the deceptive credentials are displayed for the following applications.

• Outlook (Email Clients)

• FileZilla (FileZilla FTP Client)

• Putty (Secure Shell Client Known Hosts)

• LSASS (Memory Cached Credentials)

• Internet Explorer (Web File Transfer)

• Browser favorites (Web Browser Favorites)

• DNS (Domain Name Service)

• Scripts & files

• Local Administrator (Local Administrators)

Remediation through ThreatPath

To nullify the exposures reported in ThreatPath, you have to remove the corresponding saved
credential or shared folder. This is usually done through the IT administrator of the affected endpoints.
Such an exercise could cost precious time. However, with ThreatPath, you can remediate the endpoints
through Attivo Endpoint Application without any user intervention.

Note: In the Paths tab, select Remediable from the Filter by list and then select True to view all the
remediable exposures.

How does ThreatPath remediation work?

You can trigger remediation in two ways:
• You can manually trigger remediation from the Paths tab. Expand a card in the Paths tab, click the
horizontal ellipsis of a path, and then select Remediate. To create a rule, select Remediate Rule.

• Automatically trigger remediation by creating a remediation rule in Attivo Cloud. You must set the
action for this path rule as remediate. When a path matching a remediation rule is discovered, the
path is displayed in ThreatPath. Remediation is also immediately triggered for this attack path. See
Steps to define ThreatPath rules.

The remediation is executed by the Attivo Endpoint Application installed on the corresponding
endpoints. Therefore, remediation is possible only on managed endpoints.

Attivo Cloud User Guide 209

12 ThreatPath
Remediation through ThreatPath

At what point in time is the endpoint remediated?

When remediation is initiated either manually or through a rule, Attivo Cloud internally creates the
remediation tasks for Attivo Endpoint Application to execute. When Attivo Endpoint Application
completes the remediation depends on the mode in which Attivo Endpoint Application is installed.
• For the current user in non-service mode (/i parameter): First the remediation task is internally
created in the Attivo Cloud. Because the task is yet to be communicated to Attivo Endpoint
Application, remediation is in initiated state. When Attivo Endpoint Application is deployed next time
on the endpoint, the remediation task is communicated to Attivo Endpoint Application. At this point
in time, the credential is removed from the endpoint. When the credential is being removed, the
remediation status is displayed as pending. When the credential is removed, the remediation status
is success.

• For all users in non-service mode (/ia parameter): First the remediation task is internally created in
the Attivo Cloud. Because the task is yet to be communicated to Attivo Endpoint Application,
remediation is in initiated state. When Attivo Endpoint Application executes next time, like when a
user logs on, the corresponding credential is removed on the endpoint. The remediation status then
progresses to success.

• In service mode (/service parameter): First the remediation task is internally created in the Attivo
Cloud (remediation is in initiated state). At the next update interval (configured in the protection
policy), the remediation task is communicated to Attivo Endpoint Application (remediation is in in
progress state). When the corresponding user is logged on, the corresponding saved credential is then
removed immediately on the endpoint.

If Endpoints Notification is configured, then the remediation task is communicated to Attivo

Endpoint Application immediately (without having to wait for the update interval).

The remediation details are displayed in the Remediation Report. Click Remediate in the ThreatPath
Summary tab to access this report. You can also access it from the Actions list in the Paths tab. If you
uninstall Attivo Endpoint Application, then the remediation details for that endpoint are no longer
available in the Remediation report.

Note: Even if the remediation is complete, the attack path is displayed in ThreatPath until the next
ThreatPath analysis by the Attivo Cloud.

Canceling remediation
If remediation is in initiated or in progress state, you can cancel the remediation task, if required. You
can do this by clicking Cancel from the Paths tab.

210 Attivo Cloud User Guide

 ThreatPath
Remediation through ThreatPath 12

Following are the possible statuses:

• Canceled - indicates you canceled the remediation.

• Cancel in progress - The cancel requested by you is being progressed.

• Cancel failed - Unable to cancel.

If remediation is in initiated state, then you can immediately cancel the remediation. If the remediation
is in in progress state, and you cancel remediation, then it is canceled when the corresponding user
next logs on.

Remediation of specific attack paths

This section explains the remediation process for specific attack paths displayed in ThreatPath.
AWS access keys
When AWS access keys are detected on an endpoint, a path is detected from the endpoint to aws.com.
The AWS access keys might be stored on a Windows, Linux, or Mac endpoint. When you remediate this
path, the access key ID, secret access key are removed from the credentials file of the user. Also, the
region and output file format details are deleted from the config file.
If there are AWS profiles, then the access keys and config data are deleted based on the profile name.
Consider there are two sets of AWS access keys, that is there are two profiles. When you remediate,
one of the paths, then the access keys and config data corresponding to the profile name are deleted on
the endpoint.

SMB saved credential

When you remediate, the saved SMB credential is removed from the source. The share permissions on
the target endpoint are not altered.
You cannot remediate active logged on sessions.

SMB critical share

There are two options when you remediate SMB critical share from the Paths tab. You can either
remove the share on the target or change the permissions from write to just read. No credentials are
removed on the source endpoint.

Note: You cannot create a remediation rule for SMB critical share.

If you opt to change permissions, you can opt to remove the write permissions for all or specific users.

Attivo Cloud User Guide 211

12 ThreatPath
Remediation through ThreatPath

RDP memory credential

This path indicates an active RDP connection. When you remediate, the RDP connection is terminated.
If the source is managed, then the RDP connection is terminated at the source.

RDP credential manager

When you remediate, the corresponding RDP credential saved in Windows Credential Manager is
deleted at the source.

SSH
In case of Windows, the SSH paths are detected for saved credentials as well as key-based
authentication. In case of Linux and Mac, paths are drawn only for key-based authentication.
When you remediate a password-based path in Windows, Attivo Endpoint Application deletes the saved
credential from the endpoint for the corresponding user. The saved credential is no more visible in the
PuTTY client.
When you remediate a key-based authentication in a Windows endpoint, the entry is deleted in the
PuTTY client. When you remediate an SSH path from a Linux or Mac endpoint, the corresponding entry
in the bash_history file is removed.

When you remediate a key-based SSH path, the private key on the endpoint is never deleted. Even if
the attacker has access to the private key, there is no information regarding the user name or target IP
address.

Web internal
Remediation is supported only for the credentials saved in Internet Explorer 11. When you remediate,
the corresponding credential is deleted from Windows Credential Manager in the source endpoint.

212 Attivo Cloud User Guide

 ThreatPath
Remediation through ThreatPath 12

VPN
When you remediate this path, the saved VPN connection details are deleted in the source endpoint.

Database
In case of MySQL, the password stored in the MySQL Workbench vault is cleared. In case of Microsoft
SQL Server, the corresponding DSN file is deleted at the source endpoint.

Privilege account access

Privilege account access is a logical path that exists due to a currently logged-on session or saved
credential of a domain user with escalated privileges. Privilege account access due to saved credentials
are remediable, but not the ones due to logged-on sessions.
For example, privilege account access due to the following logged-on sessions are not remediable:
• Member of the enterprise admin group or domain admin group is logged on in a managed endpoint.

• A domain user or group is added to the Remote Desktop Users group and a corresponding user is
logged on in a managed endpoint.

• A domain user or a domain group is added as a local user on a managed endpoint.

When you remediate a privilege account access, the saved credential at the source is deleted.

Attivo Cloud User Guide 213

12 ThreatPath
Remediation through ThreatPath

214 Attivo Cloud User Guide

13 Deploying Attivo Endpoint Application

Install Attivo Endpoint Application on endpoints

After you download the Attivo Endpoint Application from the Attivo Cloud, you run the corresponding
file on endpoints to implement the endpoint security features. You can manually install Attivo Endpoint
Application on endpoints or use endpoint management applications such as McAfee ePO and ForeScout
CounterACT to install Attivo Endpoint Application from a central location.

EDN features support matrix

The following table lists the operating systems on which the endpoint features are supported.

Lures ThreatPath ADSecure-EP Deflect DataCloak

CentOS 6.5 - 32 Bit     
CentOS 6.5, 7.0 and     
7.3 - 64 Bit
Ubuntu 14.10, 16.04 -     
32 Bit
Ubuntu 14.10, 16.04     
and 18 - 64 Bit
RHEL 6 - 32 Bit     
RHEL 6, 7.4 and 7.5 -     
64 Bit
Debian 10 - 64 Bit     
Windows XP - 32 Bit     
Windows 7 - 32/64 Bit     
Windows 8 - 32/64 Bit     
Windows 8.1 - 32/64     
Bit
Windows 10 - 32/64     
Bit
Windows 11 - 64 Bit     
Windows Server 2008     
– 32 Bit
Windows Server 2008
R2 - 64 Bit
Windows Server 2012     
- 64 Bit
Windows Server 2016     
- 64 Bit

Attivo Cloud User Guide 215

13 Deploying Attivo Endpoint Application
Install Attivo Endpoint Application on endpoints

Lures ThreatPath ADSecure-EP Deflect DataCloak

Windows Server 2019     
- 64
Windows Server 2022     
- 64 Bit
MAC - 10.10.x - 64 Bit     
MAC - 10.11.x - 64 Bit     
MAC - 10.12.x - 64 Bit     
MAC - 10.13.x - 64 Bit     
MAC - 10.14.x - 64 Bit     
MAC - 10.15.x - 64 Bit     

Note:
• For the complete and updated list of supported endpoints’ operating systems information, always
refer to the Endpoint Features Support Matrix document present on the support portal.

Common Attivo Endpoint Application parameters

When you run Attivo Endpoint Application on an endpoint, you must specify the parameters based on
the security feature you want to implement and how you want it to be implemented. For example, you
can choose to run Attivo Endpoint Application as a service to install deceptive tokens for all users of an
endpoint. For this, you use the /service and /ia parameters.
The Attivo Endpoint Application parameters applicable to all the endpoint security features are
discussed in this section.

216 Attivo Cloud User Guide

 Deploying Attivo Endpoint Application
Install Attivo Endpoint Application on endpoints 13

Parameter Description
/service Use this parameter to run Attivo Endpoint Application as a persistent service on endpoints.
• You need elevated privileges to install Attivo Endpoint Application as a service. In case
of Windows, you must be part of the local Administrators group. In case of Linux and
Mac, you need super-user privileges.
• You do not need to use /service when you want to uninstall Attivo Endpoint Application
installed as a service.
• If you had installed Attivo Endpoint Application in service mode, and you want to re-
install Attivo Endpoint Application in non-service mode, then you must uninstall Attivo
Endpoint Application and then re-install it.
• If you had installed Attivo Endpoint Application in non-service mode, and you want to
re-install Attivo Endpoint Application in service mode, then you need not uninstall Attivo
Endpoint Application. You can directly re-install Attivo Endpoint Application in service
mode.
The effect of /service parameter on the features is as below:
ThreatStrike: If you install ThreatStrike for all users and in service mode, then the
deceptive tokens for the admin user used for installation is installed immediately. The
ThreatStrike service installs the deceptive tokens for users who login subsequently.
The ThreatStrike service connects to the Manager at specific intervals to check for changes
in the profile. If you had made any changes in the corresponding ThreatStrike profile, the
ThreatStrike service automatically updates the deceptive tokens on the endpoint as per the
current ThreatStrike profile.
If the BOTsink is unreachable for the ThreatStrike service to send the installation status,
the ThreatStrike service attempts to reach BOTsink continuously and when the connection
is re-established, the ThreatStrike service updates all the status.
ThreatPath: Attivo Endpoint Application checks with the Manager for any changes in
ThreatPath configuration at the update interval specified in the corresponding client group
record. Manager sends the following changes to Attivo Endpoint Application.
• Whether ThreatPath is now disabled or enabled in the client group.
• Changes to vulnerability policy.
/server Use this parameter to specify the IP address or host name of the Attivo Cloud. Then, Attivo
Endpoint Application contacts this IP address to send the information gathered from the
endpoint and to check for configuration updates.
By default, the IP address of the Attivo Cloud is hardcoded in Attivo Endpoint Application.
So, you do not generally need to use this parameter. This parameter is useful for the
following:
• You want Attivo Endpoint Application to use the Attivo Cloud’s FQDN instead of the IP
address.
• To override the default IP address hardcoded in Attivo Endpoint Application with a
different IP address or FQDN. For example, the Attivo Cloud is on the cloud (and
unreachable to Attivo Endpoint Application). So, you want Attivo Endpoint Application
to contact a public IP, and then routed to the Attivo Cloud by the NAT system.

Note: Post installation, if you need Attivo Endpoint Application to contact a different IP
address or FQDN, then you must reinstall Attivo Endpoint Application.

/auth When Attivo Endpoint Application contacts the Attivo Cloud, it authenticates using a code.
Similar to the Attivo Cloud IP address, the authentication key is hardcoded. Optionally, you
can pass the authentication code as a parameter when you run Attivo Endpoint Application.

Attivo Cloud User Guide 217

13 Deploying Attivo Endpoint Application
Install Attivo Endpoint Application on endpoints

Parameter Description
/p When you install Attivo Endpoint Application, a binary file is created to implement the
endpoint security features. By default, this binary file is created at
%programdata%\<application name you specified in the client group>
folder. For example, if you specify tsa_client as the Application Name in the client
group, then the ThreatStrike binary file is created at %programdata%\tsa_client folder
by default.
Instead of %programdata%, you can also install the Attivo Endpoint Application binary file
at a different location on the endpoints.
Consider that tsa_client is the Application Name in the client group.
Consider you execute the following example commands:
Example 1: <name of the Attivo Endpoint Application EXE file> /i /p C:\Users\tsa
Example 2: <name of the Attivo Endpoint Application EXE file> /ia /p C:\Users\tsa
In example 1, the Attivo Endpoint Application binary file is created for the current user at
C:\Users\tsa\tsa_client.
In example 2, the Attivo Endpoint Application binary file is created for all users at
C:\Users\tsa\tsa_client.

Important: The folder where you want to install Attivo Endpoint Application must already
exist on the endpoint and also whitelisted in the endpoint security applications.

You do not need to use the /p parameter when you uninstall the traces.
If you had used the /p parameter, then you must use /p parameter whenever you re-install
Attivo Endpoint Application. Also, you must use the same folder for the reinstallation. That
is, folder name and location must be same.
If you use the /p parameter with /ia (that is, for all users), note that the user belonging to
the local administrators group installing the Attivo Endpoint Application must have full
control to the corresponding folder.

/d Use this parameter to automatically delete Attivo Endpoint Application after installation.
/v Use this parameter to view verbose logs during Attivo Endpoint Application installation.
/delaymount Use this parameter to delay user level installation in service mode for the newly logged on
users for a given number of seconds. Specify the range of seconds in between 1- 900.
Consider that you have some scripts that mount some drives on your endpoints at the time
of user login and you don’t want the ThreatStrike installable to use these specific drives as
deceptive drives. Then you can use the /delaymount parameter while installing the Attivo
Endpoint Application binary to give enough time to your logon script to complete mounting
its drives. The ThreatStrike installable then will not take over these production drives to
mount the deceptive drives.

218 Attivo Cloud User Guide

 Deploying Attivo Endpoint Application
Install Attivo Endpoint Application on endpoints 13

Parameters specific to ThreatStrike and ThreatPath

Parameter Description
/i ThreatStrike: Installs the deceptive tokens for the current user who is installing Attivo
Endpoint Application.
ThreatPath: Attivo Endpoint Application gathers the required information for the current
user from the endpoint, checks for any misconfigurations as per the vulnerability policy,
and sends these details to the Attivo Cloud.

Note: Though Attivo Endpoint Application updates the Attivo Cloud at installation time,
the Attivo Cloud draws the paths for these details only at the next update interval
(Update frequency in the Advanced ThreatPath configuration).

/nonpersist If Attivo Endpoint Application is installed with /i /nonpersist parameters, then Refresh
credentials and LSASS configurations will not be considered and it will not run persistently
in the endpoint's memory. This is applicable only for ThreatStrike installed on Windows
endpoints.
/u ThreatStrike: Uninstalls the deceptive tokens for the current user who is running this
parameter.
ThreatPath: Attivo Endpoint Application stops collecting information for ThreatPath. At
the next update interval, Attivo Cloud removes the paths drawn from information gathered
for the corresponding user on that endpoint.
/ia You need elevated privileges to install Attivo Endpoint Application for all users. In case of
Windows, you must be part of the local Administrators group. In case of Linux and Mac,
you need super-user privileges.
If BOTsink becomes unreachable during installation on Windows, Linux and Mac machines
(in all-user non-service mode), the installation status message will be remembered. The
remembered message will be sent to BOTsink when it becomes reachable, during the next
refresh interval or the user login.
ThreatStrike: ThreatStrike traces are installed immediately for the administrative user
who is installing the ThreatStrike executable. For all other users (including the other
currently logged on administrative users), the ThreatStrike traces are installed at their
next logon.
ThreatPath: Attivo Endpoint Application gathers the required information for the user who
is installing Attivo Endpoint Application and sends these details to the Attivo Cloud. For
other users, Attivo Endpoint Application gathers information at their next logon.
As with /i, though the endpoint information is sent to Attivo Cloud as soon as it is gathered,
the Attivo Cloud uses this information only at the next update interval.
/ua Use /ua only if you had used /ia for installation.
No need to use /p with /ua even if you had used /p during installation.
ThreatStrike: This deletes the deceptive tokens and the binary file for the current admin
user who is executing the command. For all other users, the tokens and binary file are
deleted at their next logon.
ThreatPath: Attivo Endpoint Application stops collecting information for ThreatPath for
the all users immediately. At the next update interval, Attivo Cloud removes the paths
drawn from information gathered from the endpoint.

Signing of Attivo Endpoint Application

By default, Attivo Endpoint Application for Windows is signed by Attivo Networks. When you install
Attivo Endpoint Application in service mode, it runs in persistent mode from the default location or from
the folder path you specified. The properties of the Attivo Endpoint Application shows that the binary is
signed by Attivo Networks.
By looking at the signature details, attackers can figure out that presence of deception being employed.
To avoid this, you can sign the Attivo Endpoint Application with your organization’s signature. The tools
and the ReadMe to sign Attivo Endpoint Application are bundled in the Attivo Endpoint Application ZIP
that you generate from a client group.

Attivo Cloud User Guide 219

13 Deploying Attivo Endpoint Application
Install Attivo Endpoint Application on endpoints

Manually install Attivo Endpoint Application

This section provides the steps to manually install Attivo Endpoint Application.

Installation on a Windows endpoint

The following are the Windows operating systems on which you can install Attivo Endpoint Application:
• Windows 11 (64 bit)

• Windows 10 (32 and 64 bit)

• Windows 8.1 (32 and 64 bit)

• Windows 7 (32 and 64 bit)

• Windows XP (32 bit only)

• Windows Server 2012

• Windows Server 2008 (32 and 64 bit)

• Windows Server 2016

• Windows Server 2022 (64 bit)

Note: You cannot install Attivo Endpoint Application on Windows Home editions.

Before you begin:

• To install Internet Explorer web credentials, Microsoft .NET Framework 4.0 or later must be
installed on the endpoints.

• Extract the .exe file from the ThreatStrike installation ZIP file. This is the ThreatStrike executable
for Windows endpoints.

The following steps explain how you manually run the ThreatStrike installable on a Windows 7 endpoint.
You can also install through security applications such as ForeScout CounterACT.
Steps:
1 Log on to a target endpoint.

Note: To install Attivo Endpoint Application with /ia parameter, you must log on with administrative
privileges. That is, the user must be part of the local Administrators group.

2 Open Windows Command Prompt and navigate to the folder containing the Attivo Endpoint Application
installable.

220 Attivo Cloud User Guide

 Deploying Attivo Endpoint Application
Install Attivo Endpoint Application on endpoints 13

Note: To install Attivo Endpoint Application with /ia parameter, run the Command Prompt as
administrator. This note does not apply to Windows XP endpoints.

3 Type in <name of the Attivo Endpoint Application installable setup.exe file> and press
the Enter key.

Information about the available parameters are displayed.

Parameter Description
i Install Attivo Endpoint Application traces for current user.
u Un-install Attivo Endpoint Application traces for current user.
ia Install Attivo Endpoint Application traces for all users. Require elevated user privileges.
ua Un-install Attivo Endpoint Application traces for all users. Require elevated user privileges.
m Capture memory forensic details.
version Print Endpoint Binary Version.
Optional parameters
service Install as Service.
server <IP> Server IP.
auth <auth code> Auth code
p <install Path> Installation Path
tunnelip <IP> Tunnel ip. Applicable only in service mode installation.
nonpersist Non persistent Mode. Applicable only for /i mode.
d Delete binary.
deploymentid <id> Deployment software id for install.
delaymount Delay user level installation in service mode for newly logged in users for given seconds.
Value should be in (1-900) seconds range.
prep Installs for master operating system image. Unique key will be changed once clone image
is created from master operating system image.
v Print verbose information.
epo Integrate with McAfee ePO.
V2off Turn off the WPP tracing(.etl).
ihelp To show the Help with internal options.
Deployment server configurations
ds Installs deployment service. Supported with /service option only.
suser For service user name to be used by deployment service.
guser Guest user name to access the deployment share.
gpwd Guest password to access the deployment share.
Use Digital Signature of installer package
changesign For update digital certificate.
kf <file path> Private key file used with /changesign.
ac <file path> Additional Certificate file used with /changesign.
ts <time stamp url> Time stamp server URL used with /changesign.
sub <name> Subject name reference of code signing certificate in certificate store used with /
changesign.
batch <file path> Change sign using batch file used with /changesign.
Access Protection options
protecton To enable access protection.
protectoff To disable access protection.

Attivo Cloud User Guide 221

13 Deploying Attivo Endpoint Application
Install Attivo Endpoint Application on endpoints

• Installing Attivo Endpoint Application with the required parameter.

For example, to install Attivo Endpoint Application for the current user, run the following
command:

Syntax: <name of the Attivo Endpoint Application installable setup.exe file> /i /d /v

Example: ThreatStrike_HR_230_subnet_setup.exe /i /d /v

The front-slash must be preceded by a space as shown above.

When you execute the Attivo Endpoint Application installable, the following happen:

• You can view the updated information in the Analysis | Endpoints | Managed Endpoints page
of the Attivo Cloud. See Monitoring the status of Attivo Endpoint Application installation

Every time a new user logs on, Attivo Endpoint Application runs and information updated on the
Managed Endpoints page.

Notes specific to ThreatStrike:

• If Refresh credentials or LSASS is configured, then note the following:

• If installed for the current user (/i), then Attivo Endpoint Application runs persistently in the
endpoint’s memory if you have configured Refresh credentials or LSASS. In this case, if you do not
want Attivo Endpoint Application to run persistently in the endpoint's memory, then use /
nonpersist parameter along with /i parameter. If you use /nonpersist parameter, then on the
corresponding endpoint Refresh credentials and LSASS will not be supported.

• If installed for all users (/ia), then Attivo Endpoint Application adds a scheduler task on the
corresponding endpoints. This scheduler task is named as per the service name you provided in
the client group.

• For some applications such as Mozilla Firefox, ThreatStrike traces might not be installed if they are
open when you run Attivo Endpoint Application.

• Consider you install the same Attivo Endpoint Application installable on an endpoint for a second time.
That is, the ThreatStrike traces are installed on the endpoint and you attempt to install the same
ThreatStrike traces again. Then:

• If LSASS or Refresh credentials is configured, the ThreatStrike traces are uninstalled from
the endpoint and reinstalled.

• If both LSASS and Refresh credentials are not configured, then the ThreatStrike traces are
refreshed (even though Refresh credentials is not enabled) but the existing ThreatStrike
traces are retained.

• If any deceptive tokens (breadcrumbs) are deleted manually from the Credential Manager on
Windows, those credentials will be recovered during the next credential refresh interval.

Installation on Linux endpoint

For Linux endpoints, the Attivo Endpoint Application is an encrypted/encoded shell script. You can
install the Attivo Endpoint Application script remotely. But the following steps explain how you manually
run the Attivo Endpoint Application script on an Ubuntu desktop.
The following steps explain how you manually run the Attivo Endpoint Application on an Ubuntu 13
endpoint.

Note: Attivo Endpoint Application is not supported on Kali Linux.

Before you begin:

• Extract the atirwraplinux.sh file from the Attivo Endpoint Application ZIP file. This is the Attivo
Endpoint Application installation script for Linux endpoints.

• To install Attivo Endpoint Application to all users, you need super-user permission on the endpoints.

222 Attivo Cloud User Guide

 Deploying Attivo Endpoint Application
Install Attivo Endpoint Application on endpoints 13

Steps:
1 Log on to a target endpoint.

2 Go to the directory containing atirwraplinux.sh.

3 Execute “bash atirwraplinux.sh”

Information on the available options are displayed.

• If ThreatStrike traces are already present on an endpoint, they are automatically deleted before
inserting the current ThreatStrike traces. So, you can install ThreatStrike traces without verifying
for older ThreatStrike traces.

• To run Attivo Endpoint Application as a service, use the -service parameter.

• You do not need to specify the /server <IP> or the /auth <auth code> parameter since the Attivo
Cloud IP address and authentication key are included in the Attivo Endpoint Application.

• For security purposes, recommend that you delete the Attivo Endpoint Application installable on an
endpoint post installation. For this you must use the -d parameter.

• If you use the -v parameter, you can view the status for each task during the installation.

• It is recommended that verbose output is redirected to a file because, sometimes the Linux Console
may not be handling the generated output correctly and non-readable characters may be
displayed.

Example: sudo bash atirwraplinux.sh –ia -v > install.log

4 For example, to install Attivo Endpoint Application for all users run the following command:

Syntax: sudo bash <name of the Attivo Endpoint Application installation script for Linux>
-ia -v
Example: sudo bash atirwraplinux.sh –ia -v

Note:
• The Attivo Endpoint Application installation should be done using bash shell on the Linux endpoint.

• For other users whose logon shell is z shell, k (korne) shell then the installation will happen
automatically upon their logon, if the installation mode is all user or all user with service.

• For the users whose logon shell is C, Fish and Debian shell, then the installation may not happen on
their logon. However, on manually executing the script on these shells the installation may happen
but Attivo does not recommend this.

• If Attivo Endpoint Application script is executed manually in the C shell, an error message stating
“Ambiguous output redirect” is displayed.

Attivo Cloud User Guide 223

13 Deploying Attivo Endpoint Application
Install Attivo Endpoint Application on endpoints

Installation on Mac endpoint

For Mac endpoints, the Attivo Endpoint Application is an encrypted/encoded shell script.

Note: To install Attivo Endpoint Application, the Mac endpoint must run 64-bit Mac OS.

You can install the Attivo Endpoint Application installation script remotely. But the following steps
explain how you manually run the Attivo Endpoint Application installation script on a Mac endpoint.

Note: Few ThreatStrike deceptive tokens are installed in the default keychain. If the default keychain is
locked, then the deceptive tokens cannot be installed. Also, if the default keychain is locked post installation
of Attivo Endpoint Application, then the deceptive tokens are not deleted when you uninstall Attivo Endpoint
Application.

Before you begin:

• Extract the atirwrapmac.sh file from the Attivo Endpoint Application ZIP file. This is the Attivo
Endpoint Application installation script for Mac endpoints.

• To install Attivo Endpoint Application for all users, you need super-user privileges on the endpoints.
Steps:
1 Log on to a target endpoint.

2 Go to the directory containing atirwrapmac.sh.

3 Execute bash atirwrapmac.sh

Information on the available options are displayed.

• If ThreatStrike traces are already present on an endpoint, they are automatically deleted before
inserting the current ThreatStrike traces. So, you can install ThreatStrike traces without verifying
for older ThreatStrike traces.

• To run Attivo Endpoint Application as a service, use the -service parameter.

• For security purposes, recommend that you delete the Attivo Endpoint Application installable on an
endpoint post-installation. For this you must use the -d parameter. However, installing Attivo
Endpoint Application for all users (-ia parameter), persists the Attivo Endpoint Application on the
corresponding Mac endpoints. So, do not use the –d parameter with –ia.

• On the endpoint, you can view the status for each task during installation of deceptive tokens. For
this, you must use the -v parameter. The -v parameter is applicable only for current user (-i) and
not for all users (-ia).

4 For example, to install the Attivo Endpoint Application for all users run the following command:

Syntax: sh <name of the Attivo Endpoint Application installation script for Mac> -ia

Example: sh atirwrapmac.sh -ia

The hyphen must be preceded by a space as shown above.

When you execute the Attivo Endpoint Application installable, the following happen:

224 Attivo Cloud User Guide

 Deploying Attivo Endpoint Application
Monitoring the status of Attivo Endpoint Application installation 13

• You can view the updated information in the Analysis | Endpoints | Managed Endpoints
page of the Manager. See Monitoring the status of Attivo Endpoint Application installation

• If you install deceptive tokens for all users, these tokens are installed when a user logs on the
next time. Even for the currently logged on user, the tokens are installed when the user logs on
the next time.

• For some applications, the deceptive tokens might not be installed if they are open when you
run the Attivo Endpoint Application installable.

Monitoring the status of Attivo Endpoint Application installation

You can configure the Attivo Endpoint Application to log the installation status back to Attivo Cloud. For
every endpoint that you install the Attivo Endpoint Application, Attivo Cloud can get an update.
To update the installation status, Attivo Endpoint Application creates a HTTPS session between the
endpoints and Attivo Cloud. Attivo Cloud listens on port 443 for this HTTPS session.
You can monitor the Attivo Endpoint Application installation status in the Managed Endpoints page
within Analysis tab.

Summary of Attivo Endpoint Application installation status

You can quickly understand on how many endpoints the Attivo Endpoint Application is installed
successfully and for how many user accounts.
Endpoint Installations:
This section displays a pie chart with details on the number of endpoints on which Attivo Endpoint
Application was successfully installed.
It also displays the following statuses:

• Installed - Attivo Endpoint Application is successfully installed.

• UnInstalled - Attivo Endpoint Application is uninstalled from the endpoints.

• Require Attention - This could mean that the installation could be in any one of the following
processes.

• Installation could be in progress.

• There could be an installation error.

• Uninstallation could be in progress.

• There could be an error while uninstalling the Attivo Endpoint Application.

Attivo Cloud User Guide 225

13 Deploying Attivo Endpoint Application
Monitoring the status of Attivo Endpoint Application installation

Endpoint Features:
The bar chart in this section displays Attivo Endpoint Application installation status for each endpoint
security feature. It represents the number of endpoints on which the endpoint features are installed
and shows installation success or failure.

The example in the screen shot above indicates that for ThreatStrike, Attivo Endpoint Application was
successfully installed for four endpoints.
User Profile:
The user profile graph in this section indicates the number of user accounts for which Attivo Endpoint
Application is successfully installed. Failure graph will indicate any installation failures.

Managed Endpoints
Below the Summary section, you can view the Attivo Endpoint Application installation details per
endpoint.
Search box
You can use the Search box to perform search across all the records displayed in the Managed
Endpoints page. You can perform two types of searches using this Search box; Search in all data and
Search as a credential.
Search in all data
In this type of search you can enter the search string and either press Enter or select Search for “ “
in all data option, then the search string will be searched across all the records present in the
Managed Endpoints page.
• For example, if your search string is ‘admin’ then, you can either press Enter or select Search for
“admin” in all data option. All the records in which ‘admin’ is present will be listed.

Search as a credential
In this type of search you must enter the search string and select Search for “ “ as a credential
option, then in all the endpoints where this credential is present across various applications (example:
lsass, Putty, SMB, shared drive, Local administrator, Rdp, etc.,) will be searched.

226 Attivo Cloud User Guide

 Deploying Attivo Endpoint Application
Monitoring the status of Attivo Endpoint Application installation 13

• For example, if you are searching ‘admin’ as a credential then, in whichever endpoint, ‘admin’ is
present as the credential (across various applications) will be searched.

The crown symbol on the endpoint indicates that the CloudLink is active on that system.

Field Description
Last Seen The timestamp of when an endpoint last communicated with BOTsink.
Host Name The computer name of the endpoint.
IP address (MAC The IP address and MAC of the endpoint. If an endpoint has multiple network interfaces,
address) all are listed.
Operating System The operating system on the endpoint.
Status Indicates whether the Attivo Endpoint Application was successfully executed on the
endpoint.
Possible values are:
• Installed
• Uninstalled
• Requires Attention
Possible installation mode values:
• Single User with Service
• All Users with Service
• Single User
• All Users
Features Shows the number of features.
EP Version The version of the Attivo Endpoint Application.
Pinned Version Displays the version of Attivo Endpoint Application tagged to the endpoint.
Users The user accounts for which Attivo Endpoint Application was installed on an endpoint.
• All currently logged on (active) endpoint users are displayed in Bold. This is applicable
to endpoints that are on Windows operating systems only.
• The sequence of the users in the list depends on their login timestamp, i.e, the last user
to logon appears at the top of the list.
• Logged out users appear towards the end of the list, along with their respective logout
times. Mouse over the info icon to see the logout time for that user.
Mouse over the info icon to see the profile name and status of the following features
configured for the respective user account: ThreatStrike, ThreatPath, and Endpoint
Forensics.
The domain name is displayed if available.

Note: Active/Inactive user details are available only if you install Attivo Endpoint
Application in service mode. If the endpoint reboots abruptly, Attivo Cloud may not
receive user details from Attivo Endpoint Application. In such cases, even though the user
is currently inactive, the user status will be displayed as Active.

CloudLink CloudLink is the endpoint utility that runs in a system. Select CloudLink to view the status.

• Select records and click the Delete icon to delete endpoint’s data permanently.

• Select all the records and click the Delete All icon to delete all the endpoint’s data permanently.

Attivo Cloud User Guide 227

13 Deploying Attivo Endpoint Application
Sign the Attivo Endpoint Application binary

• Select the record and click the Actions button to perform the following actions:

• Update Software: Click to update Attivo Endpoint Application on the endpoints. In the Update
Endpoint Software dialog, select the version of the application that you want to upgrade to.
Attivo Endpoint Application will be updated to the selected version at the next update interval and
the endpoint will be tagged to this version.

Note: These settings override the software version configurations in the protection policy. Protection
Policy configurations will be applied once the version tag is deleted.

• Manage Protection Policies: Click to view the Protection polices.

• Migrate CloudLink: Click to migrate CloudLink and make this managed Windows endpoint to
function as Attivo CloudLink. The endpoint will function as Attivo CloudLink only if it is a domain-
joined Windows endpoint.

Note: At a given point in time, there can be only one active Attivo CloudLink per subscription of Attivo
Cloud.

• Remove Version Pin: Click to delete the version tag on the endpoint.

• Notify: Click to notify the endpoint of any changes in the client group settings. On receiving
notification from Attivo Cloud, Attivo Endpoint Application applies the changes immediately on the
endpoints.

• Enable Debug: Click to enable debug logging at the request of Attivo Technical Support. The
debug files (.etl) are encrypted and must be sent to Attivo Technical Support to troubleshoot issues
related to Attivo Endpoint Application. You can download the logs from Administration |
Downloads | Endpoint | Endpoint Logs.

• Disable Debug: Click to disable debug logging.

• Assign Protection Policy: Click and select a different client group that you want to assign to an
endpoint. Selected client group configurations will be applied on the endpoint at the next update
interval.

• Collect Debug: Click to collect debug logs from the endpoint. Debug log files (.log) will be sent to
Attivo Cloud at the next Update interval (configured in Protection Policy). Debug logs contain
information about the endpoint and can help in troubleshooting issues on the endpoint.

• Credentials: Click to view a report of real and deceptive credentials on the endpoints. You can
view the credentials report for endpoints that have either ThreatStrike or ThreatPath installed. The
credentials are real (R) for ThreatPath and deceptive (D) for ThreatStrike. This option is disabled
for endpoints that have neither ThreatPath or ThreatStrike installed. You can see a report of all
the credentials that exist for applications such as lsass, Putty, SMB, shared drive, Local
administrator, Rdp, Favourites etc. on this endpoint.

• Assign Protection Policy: Click to change protection policy.

Sign the Attivo Endpoint Application binary

For greater authenticity you may choose to sign the Attivo Endpoint application using your custom
certificate.
Use any of the following methods to sign the Attivo Endpoint Application binary.

Method 1: Using your private key file.

Use this method to change the digital certificate using your own private key file.

228 Attivo Cloud User Guide

 Deploying Attivo Endpoint Application
Sign the Attivo Endpoint Application binary 13

Steps:
1 Open the command prompt from the folder containing the Endpoint Application files and execute the
following command.

setup.exe /changesign /kf <path> [/ts <timestampurl>] [/ac <path>]

• setup.exe is the name of the Attivo Endpoint Application executable file.

• /ts is the time stamp URL.

• /ac is the additional certificate file.

• /kf is the private key file.

Example:

setup.exe /changesign /kf "mykey.pfx" /ts "http://timestamp.verisign.com/scripts/

timstamp.dll" /ac "corsscert.cer

2 Enter the password of the private key file. The newly signed file is generated at the same location.
The file name is appended with _signed.

Method 2: Using a private key from cert store

You need elevated privileges on the computer to use this method.
Steps:
1 Open a command prompt from the folder containing the Endpoint Application files and execute the
following command.

setup.exe /changesign /sub <subject> [/ts <timestampurl>] [/ac <path>]

• setup.exe is the name of the Attivo Endpoint Application executable file.

• /ts is the time stamp URL.

• /ac is the additional certificate file.

• /sub is the subject name reference of the code signing certificate in the certificate store.

Example:

setup.exe /changesign /sub "My Company Inc." /ts "http://timestamp.verisign.com/

scripts/timstamp.dll" /ac "corsscert.cer"

2 The newly signed file is generated at the same location. The file name is appeneded with _signed.

Method 3: Using a batch script

Use this option to sign the file using your own method or tool.
Steps:
1 Edit the signbin.bat file with the necessary commands such that this batch file can sign the files passed
to it and return the corresponding error.

2 Open a command prompt from the folder containing the Endpoint Application files and execute the
following command:

setup.exe /changesign /batch

setup.exe is the name of the Attivo Endpoint Application executable file.

3 This launches the signbin.bat file with the parameter of the file to be signed.

Error codes
Here are some of the error codes that you may encounter while signing the Attivo Endpoint Application
binary.
• 2: Unable to access file

Attivo Cloud User Guide 229

13 Deploying Attivo Endpoint Application
Sign the Attivo Endpoint Application binary

• 3: Unable to access pfx file

• 4: Unable to access cer files

• 5: pfx invalid

• 6: Cross Certificate invalid

• 7: Access to Certificate Store failed

• 8: Unable to initialze signer

• 9: Failed to Sign

230 Attivo Cloud User Guide

14 Endpoints Activity

Endpoints Activity refers to the suspicious queries identified by ADSecure-EP or DataCloak. You can
view the details of such queries as well as some of the endpoint details in the Endpoints Activity page in
Attivo Cloud. Note that Endpoint Activity page provides the details of queries even if ADSecure-EP or
DataCloak is in Alert Only mode (engagement or protection disabled).
ADSecure-EP and DataCloak modules of Attivo Endpoint Application look for queries that qualify for
intervention. In addition to taking the configured action on such queries, Attivo Endpoint Application
uploads the details of these queries for correlation and reporting purposes. You can configure the
reporting interval in the Global Settings tab of protection policies. Attivo Endpoint Application uses
TCP port 443 to upload the query details to Attivo Cloud (Attivo CloudLink is not involved).

How can you use the information in the Endpoints Activity page?
The Endpoints Activity page provides visibility regarding:
• How your Active directory is being targeted. You can view the processes, commands, and API calls
used to query the AD.

• Who and from where the Active Directory is targeted. You can view the details of the compromised
endpoints and the user accounts used. If the AD query is executed in a different user context, then
the ADSecure-EP report displays the logged on user and the user context as well.

• Is there any ransomware-like activity in your network. If yes, then which are the endpoints involved
and in what type of activity.

• Tracking down attackers by identifying the compromised endpoints as well as understanding the
method employed by correlating the queries.

For example, if the same process, installed at the same location, queries the AD from 80% of the
endpoints, then most likely these are legitimate queries. Therefore, you can configure ADSecure-
EP to not evaluate queries from that process. Conversely, if a process queries the AD from just a
few endpoints, then it can be suspicious.

Accessing the Endpoints Activity page

• To access the Endpoints Activity page, go to Analysis | Endpoints | Activity.

• Endpoint Activity corresponding to an event: Go to Analysis | Events. Then, click on the horizontal
ellipsis and select Details View | Activity. You can then view the details of the corresponding queries
in a card view. This card view is similar to the Details tab in the Endpoints Activity page. See Details
tab.

Understanding the Endpoints Activity page

The Endpoints Activity page has two tabs:
• Summary: As the name implies, this tab provides an executive summary of the queries detected by
ADSecure-EP and DataCloak.

Attivo Cloud User Guide 231

14 Endpoints Activity

• Details: This tab enables you to drill down to the details of the summarized data. You can use the
options to pivot the data to understand the threat from varied perspectives. You can switch to view
all or acknowledged records as well.

Note: By default, only the unacknowledged report entries are factored in for the Endpoints Activity
page.

Summary tab
If you acknowledge a record in the Summary tab, then that data isThe Summary tab consists of two
sections - graphs and table.
Graphs section
Following are the graphs shown in the Summary tab.

• The Top 5 Process graph shows the processes that threat actors used the most to execute the queries.
These are the actual processes that sent the queries. You can view the parent and grandparent
processes in the Details tab. Point to a bar to view the count.

• The Query Type chart shows the classification of queries and the count for each. The legend shows a
maximum of 4 items at a time. The following section describes these query types.

• The Queries by Features show the classification of queries based on features. Currently, the queries
executed in console apps are classified under one of these features - ADSecure-EP or DataCloak.

Table section
This section summarizes the queries detected by ADSecure-EP and DataCloak in a table. The queries
are grouped based on certain parameters explained in the following table.
Each row in the table represents a group or set of queries. From this table, you can drill down to view
the details of each row in the Details tab. For example, to view all the queries executed using
powershell.exe, click on powershell.exe in the Process column. You automatically navigate to the
Details tab with the filter set to show all the unacknowledged queries executed using powershell.exe in
the last 30 days and arranged in the reverse chronological order. Similarly, you can view the details
based on publisher, query type, and feature.

Note: There is no time selection in the Summary tab. So, it shows all available data. However, when you
click on a process, publisher, query type, or feature, the Details tab displays the corresponding data for the
last 30 days by default.

The table section is detailed below.

232 Attivo Cloud User Guide

 Endpoints Activity
14

Item Description
1 Every query reported in Endpoint Activity is based on 3 basic parameters:
• The process, which is the source of the query.
• The path where the process is installed.
• The publisher's name.
2 If the values for the above 3 parameters are same, then those queries are consolidated in
one row in the Summary tab. Every time this query is repeated, the query count is
incremented. You can also configure the time period for which you want repeated queries
to be ignored. You configure this time period in the Reports Throttling Interval field
Global Settings tab of protection policies.
Even if the query type (item 3 in the screenshot above) or feature (item 4) is different, the
queries are consolidated in the same row in the Summary tab if the basic parameters are
same.
The count of queries corresponding to each query type and feature are provided in
parenthesis.
3 The queries are classified under the following categories:
• Console input - This query type applies to ADSecure-EP and DataCloak. These are
commands executed in Windows Command shell or PowerShell. Examples are net
commands and klist. If you select Console Apps in the Global Settings tab of
protection policies, then Attivo Endpoint Application reports all commands regardless of
whether ADSecure-EP/DataCloak acted on the response or not. Therefore, even
commands executed by non-domain users may be reported.
• LDAP search: This query type applies to ADSecure-EP. These are LDAP queries from
untrusted sources upon which ADSecure-EP had acted upon. For example, an attacker
might use LDAP query to get the list of domain controllers.
• API calls: This query type applies to ADSecure-EP. The API calls made by processes to
query the AD fall under this category. For example, an attacker uses BloodHound or
Windows PowerShell cmdlets, which make an API call to query the AD.
• Script: This query type applies to ADSecure-EP. When an untrusted user executes a
script or command in PowerShell, Attivo Endpoint Application scans the AMSI buffer and
reports the commands. These are classified under this category. Also note that the
commands that Attivo Endpoint Application report are as per the Endpoint Reporting
setting (Conservative, Moderate, or Aggressive) in the in the Global Settings tab of
protection policies.
• SMB share: This query type applies to DataCloak. Queries to enumerate mapped
network drives fall under this category.
• Local drive: This query type applies to DataCloak. Queries to enumerate local drives
and folders fall under this category.

Note: On endpoints running Windows 7 and Windows Server 2008, Attivo Endpoint
Application reports commands executed in Windows PowerShell only if the Windows
PowerShell version is 3.0 and command history is enabled in Windows PowerShell.

Note: ADSecure-EP module in Attivo Endpoint Application cannot block the traffic to AD
Web services if PowerShell 7.0 is used.

4 The features that detected the queries are displayed. The count of queries for each feature
is provided in parenthesis.
Currently, Console Apps is not listed as a feature in this column.
EP Count (%) This is the count and percentage of endpoints that reported this query. For example, a
count of 4 indicates that 4 endpoints reported a query, wherein the process, installed path,
and the publisher are same.
The percentage is calculated as follows: (number of endpoints that reported a
query, that is endpoint count / total number of managed Windows
endpoints) * 100
To see the managed Windows endpoints, go to Analysis | Endpoints | Managed
Endpoints and filter by operating systems.
As explained in the overview section, the percentage can be a cue to identify benign and
malicious queries.
Refresh icon Click to refresh the data displayed in the Summary tab. It does not pull the latest queries
from Attivo Endpoint Application instances. Attivo Endpoint Application sends updates only
as per the reporting interval in the Global Settings tab of protection policies.

Attivo Cloud User Guide 233

14 Endpoints Activity

Item Description
Action | Allow You are taken to the Exception Policies page with the process, path, and publisher fields
Rule auto-filled with the corresponding data. Enter a name for the exception policy, review the
Action | selected protection policies and features, and then save the exception policy. The Attivo
Intercept Rule Endpoint Application instances apply this exception from the next update.

Acknowledge The Summary tab factors in all the unacknowledged queries. You can acknowledge a row
of data in the table. To view acknowledged data in the Summary tab, you must first
unacknowledge the corresponding cards in the Details tab.
Actions | Delete Deletes the selected row including all the query details consolidated under this row. This
is a permanent action, which cannot be undone.
Actions | Delete Same as Delete but applies to all the data in the Endpoint Activity page.
All

Details tab
The table in the Summary tab is a consolidated view of queries reported from the endpoints. Whereas,
the Details tab provides the details of each incident of an AD query in a card view. See Table section to
understand how you can drill down from the Summary tab to the Details tab.
By default, the details of all the unacknowledged AD queries are displayed. If you clear all the custom
filters in the Details tab, then the total number of Queries in the Summary tab matches with the Total
Count displayed in the Details tab.

Understanding the card view of the Details tab

The paths are segregated initially in the card view. You can drill down to the details of each card, where
you can see the details of each query. You can also create allow or intercept rule (as applicable) for
each or a set of queries. Additionally, you can export the entire set of results or a specific set to a CSV
file.
By default, the queries detected in the last 30 days are grouped by Timeline and sorted in the reverse
chronological order. This default view lists the most recent individual queries.

Note: If you directly visit the Details tab (instead of using any links in the Table in the Summary tab), then it
always defaults to, First Seen: Month, Group By: Timeline and Sort By: Last Seen. That is, the options you
select in the Details tab are not preserved when you leave the Details tab. As a workaround, open the page
you want to visit in a new tab.

234 Attivo Cloud User Guide

 Endpoints Activity
14

Item Number Description

1 The options you apply are displayed here.
2 Click to select a Filter By option or to enter a search string. For example, if you want to
view all the queries where the host name contains the string Fin (as in Finance), click here
and type Fin. You can type a partial or the whole string as the keyword.
Group By The cards are created by grouping the individual queries. For example, if you group by
source host name, then a card is created for each host on which the queries are detected.
This card contains the individual queries related to that host.
The main advantage with the card visualization is that you can pivot the data using the
Group By option. This enables you to look at different aspects of a threat.
The options are:
• Timeline: This is the default setting, wherein the queries are considered based on their
time stamp. Therefore, each card contains the details of only one query.
• Process: The queries are grouped under the same card if the Windows system GUID
(UUID), process ID, and logged on user name are same.

In this example, the queries are grouped under different cards because the PID of the
process executing the queries are different. Note the host name, logged on user name,
process name (powershell.exe), and even the PID of the parent process are same.
Note that GUID and PID is used to identify instead of names. Therefore, changing the
host name, for example, does not impact the grouping.
The crown indicates that the query was executed with escalated privileges.
• Source Hostname: The queries are grouped together if the system GUID is same.
First Seen Select the time period for the queries. For example, select hour to view the queries in the
last 60 minutes and day for the last 24 hours. Default selection is month.

Attivo Cloud User Guide 235

14 Endpoints Activity

Item Number Description

Filter By Use this to list queries matching a criteria.
The query count pertaining to each Filter By option is shown in parenthesis.
The values displayed for a Filter By parameter and the corresponding query count may
change based on what you select for First Seen and Log Type.
Some of the Filter By options are:
• OS: You can filter based on Windows operating system versions.
• Protection Policy: For example, you might want to view the queries from a particular
protection policy to fine-tune the configuration.
• Process Name: This is based on process name (not process ID). If you select
powershell.exe for example, then queries executed from powershell.exe (regardless of
PID of powershell.exe) are fetched. To view queries from various instances of
powershell.exe, filter by powershell.exe and group by process.
If you select multiple options in Filter By, then AND condition applies. If you select multiple
values for a Filter By option, then OR condition applies. In this example, only the queries
which match the following criteria are fetched: the process name is powershell.exe AND
query type is LDAP search OR API call AND protection policy is Default_Protection_Policy.

Log type By default only the unacknowledged queries are factored in. You can acknowledge or
unacknowledge up to 25,000 individual query records at a time.
Sort by • Last seen: Sorts the cards as well as the query records inside each card in the reverse
chronological order.
• First seen: Sorts in the chronological order.
The options in the Actions menu and the refresh icon are as described in the Summary tab.
Clear All removes the filters you set.

Click to expand the card and view the individual query details.

Click to select all the query records in the card. You can select multiple cards using this
option and perform bulk operations from the Actions menu.

Viewing individual queries in a card

When you expand a card, the individual queries under that card are displayed.

236 Attivo Cloud User Guide

 Endpoints Activity
14

Item Description
1 This is the header portion of the card. The fields in this section varies based on the Group
By value.
• When grouped by Timeline, the following fields are displayed:
• Source host name: This is the computer name of the endpoint at the time of the last
update from Attivo Endpoint Application.
• IP addresses of the endpoint: These are the IPv4 addresses of the endpoint at the
time of the last update from Attivo Endpoint Application. If there are multiple IPv4
addresses, then the first one is displayed. To see other IP addresses, point to the
number of additional IP addresses.
• Protection policy applied on the endpoint.
• Feature - indicates the feature that detected the query. AD indicates ADSecure-EP
and DC indicates DataCloak. In case of Timeline, each card contains only one query.
Therefore, only that specific feature is indicated.
• Queried Time: The age of the query contained in this card.
• Group by Process shows the following fields:
• Process name and process ID in parenthesis
• Host name. This is same as the source host name described above.
• Logged on user name: The logged on user account who executed the query. If the
query is executed in a different user context (like using Run as command), then the
user context is provided below in the card. If the user context is with elevated
privileges, then it is indicated by a crown icon next to the process name.

Note: In the corresponding Event (in the Description) and when you export the query
details to a CSV file, only the logged-on user is mentioned and not the user context.

• Protection policy
• Features that detected the queries and the count of queries contained in this card.
AD indicates ADSecure-EP and DC indicates DataCloak.
• First seen - This is the age of the oldest record contained in the card.
• Last seen - This is the age of the latest record contained in the card.
• Group by Source Host name shows the following fields:
• Source host name
• IP addresses of the endpoint
• Protection policy
• Features
• First seen and last seen

Note: Click Details to view the complete details available for the endpoint.

2 This section shows the process flow leading to the query. You can use this information to
correlate the queries and understand the attack further. The PID is provided in parenthesis.
If you group by process, then this section applies to all the queries contained in a card. If
you group by time-line or source host name, then the process flow is provided separately
for each query.
In the example screenshot above, powershell.exe is the process that executed the query.
The parent process of powershell.exe is svchost.exe.
It is common for hacking tools to be renamed to avoid suspicion. In such cases, the original
file name is in parentheses along with the current name. For example, if adfind.exe is
renamed as find.exe, then find.exe is provided in parenthesis.

Attivo Cloud User Guide 237

14 Endpoints Activity

Item Description
3 This section shows the following details for the process that executed the query:
• User context for the process that executed the query. This can be different from logged
in user if the process is invoked using the Run as command, for example. Correlate
logged-in user and user context to identify suspicious queries. For example, if they are
different and if the user context has elevated privileges (crown symbol), then the
chances of the query to be malicious is high.
• Publisher name - Helps you to know if you can trust the process.
• SHA2 hash - For example, you can use the SHA2 hash value to identify all the endpoints
that have this suspicious process installed.
If you group by process, then this section applies to all the queries in a card. For other
group by options, this section is provided separately for each query in the card.
4 This section contains the individual queries. The format of this section is same for all the
group-by options.
It indicates the feature (AD or DC) that detected the query, the query type, the query, and
its time stamp.
Attackers can encode Windows PowerShell commands to avoid detection. In such cases,
Attivo Cloud displays the decoded command by default. To view the encoded command,
click the icon in the Query column. If you export to a CSV file, only the decoded commands
are included.
For File and Folder Events Summary detected by DataCloak, you can view the rule and the
actual event (up to 2 actions) in JSON format.

Actions you can take in the Details tab

The options in the Actions list applies to all the queries or the cards you select.

238 Attivo Cloud User Guide

 Endpoints Activity
14

Options that display when you click the horizontal ellipsis apply to a card and its contents.

• Add Allow Rule / Add Intercept Rule: You are taken to the Exception Policies page with the process,
path, and publisher fields auto-filled with the corresponding data. Enter a name for the exception
policy, review the selected protection policies and features, and then save the exception policy. The
Attivo Endpoint Application instances apply this exception from the next update.

• IP informer: This option is available only in the Details tab. Click to view the IP Informer page for
the source host name of the query.

In the IP informer page, you can view detailed information about the IP address.

Attivo Cloud User Guide 239

14 Endpoints Activity

240 Attivo Cloud User Guide

15 Monitor your assets

The interactive Attivo Cloud Dashboard gives you the visibility into the health and security posture of
your infrastructure.

Attivo Cloud Dashboard

The dashboard provides a summarized and graphical view of your accounts and resources, and you
can use the predefined time range to view current trends or historical data.
By default, the data displayed on the dashboard is for the current month and for medium severity
events.

Counters on the Dashboard

1 shows you the number of events generated for the selected filters.

2 Shows the number of MITRE ATT&CK Techniques that the events are categorized into.

3 Shows the number of MITRE ATT&CK Tactics that the events are categorized into.

4 Shows the number of endpoints that are compromised.

click on any of these counters and you can further drill down to the event details of these detections.

Events classified according to MITRE ATT&CK

MITRE ATT&CK is a globally-accessible structured list of known adversary tactics and techniques
based on real-world observations. It is a knowledge base of different tactics and techniques defined
for categories like Enterprise, mobile, etc.

Attivo Cloud User Guide 241

15 Monitor your assets
Attivo Cloud Dashboard

Tactics define what the attackers are trying to achieve and techniques define how they try to achieve
those steps. The events raised on the BOTsink are associated with MITRE ATT&CK Enterprise tactics
and techniques.
Relating the events raised in your environment to different MITRE ATT&CK enterprise tactics and
techniques can help you visualize the strengths and weaknesses of your environment.

Enterprise Tactics:
Currently, MITRE ATT&CK has 12 enterprise tactics. All the 12 enterprise tactics are displayed on the
MITRE ATT&CK section on the dashboard with the number of events raised against each of them.
Enterprise Techniques:
Click on the tactic to see the detailed view of events. In the detail view, the events are further
categorized into different MITRE Techniques that fall under the given MITRE Tactic. You can filter the
events based on Severity or Time Period.

Time-based Attacks
This is a line graph, which shows event progression over time. You can view the progression of events
of different severity together. So, you can view the count of events at different points in time. You can
drill down to the Events page from the graph.
• The x-axis is plotted based on the time period selected as well as the alerts stored in the database.
For example, if you select month as the time period, the x-axis shows the last 30 days as the
coordinates. However, if the alerts are available only from the last 2 days, then the x-axis coordinates
are plotted for these 2 days. This means, the interval between two x-axis coordinates could be a few
hours.

If the time period is day, the preceding 24 hours from your current time is plotted on the X-axis.

If the time period is hour, the preceding 60 minutes are plotted on the X-axis.

• Mouse over a node to view the value of the x and y coordinates, that is the time and the number of
events occurred between the previous x-coordinate and the next x-coordinate.

• Click on a node to view the details of the events, which make up the displayed count. For example,
in the screenshot shown above, click on the node to view the details of the 103 events.

242 Attivo Cloud User Guide

 Monitor your assets
Attivo Cloud Dashboard 15

Suspicious Endpoints by Policy

This graph shows the severity of the events that have been raised by a specific Protection Policy.
Mouse over a section of the chart to view the summary details.
Click Show all to view all the Protection policies and the count of each. This information displays in a
tabular format. Click Export to export this data into a CSV file that you can refer to later.

Suspicious Endpoints by Features

This chart displays the list of suspicious endpoints by the endpoint features that is installed on them.
Mouse over a section of the chart to view the summary details.

Events Summary
This chart displays the number of events by severity for different modules. For example, if Medium is
the Dashboard-level severity, then this chart represents the number of medium-severity events,
number of high-severity events, and number of very-high severity events.

Attivo Cloud User Guide 243

15 Monitor your assets
Attivo Cloud Dashboard

Mouse over a section of the chart to view the summary details.

Top 5 Attacks
This chart displays the type of malicious events and the count of each such event.
Mouse over a bar to view the attack name and number of associated events.
Click Show all to view all the attacks and the count of each. This information displays in a tabular
format.

Top 5 Suspicious Endpoints

This chart displays information of the endpoints that are susceptible to attacks. You can use this
information to quickly identify the endpoints to be quarantined immediately.
Click Show all to view all the attacks and the count of each. This information displays in a tabular
format.

244 Attivo Cloud User Guide

 Monitor your assets
Attivo Cloud Dashboard 15

Endpoint Detection Net (EDN)

This chart shows the summary of endpoints. At a quick glance, you can see how many endpoints are
offline, how many endpoints have EDN features installed, and how many are suspicious.

You can click on the count displayed for Suspicious, which directs you to the Events page.

Note: Offline displays the total number of endpoints having EDN features, failed to communicate with Attivo
Cloud for more than 90 days.

Recent Events
The most recent events are listed in this section. You can see a quick summary of these events here. To
view all the events click View All.

Attivo Cloud User Guide 245

15 Monitor your assets
Monitoring through the Events tab

ADAssessor Summary
This is the same as the Test Results widget in the ADAssessor Dashboard tab. See Understanding the
Dashboard tab.

Monitoring through the Events tab

Attivo Cloud does complex analysis and correlation of events to determine their malicious nature. Then,
it assigns a severity to each event based on how strongly they indicate malicious activity. The possible
severity levels are - very low, low, medium, high, and very high.
The Events tab facilitates easy viewing of the logged activities. However, its main purpose is to ensure
you do not miss critical events, such as data exfiltration.
Select the time period for the query.
• The time period of the query is relative to the time zone configured on your client host.

• Year – Events from the last 365 days are queried for.

• Month – Events from the last 30 days are queried for.

• Week – Events from the last 7 days are queried for.

• Day – Events in the last 24 hours from the current time are queried for.

• Hour – Events in the last 60 minutes are queried for.

Select the severity of the events you want to view.

246 Attivo Cloud User Guide

 Monitor your assets
Monitoring through the Events tab 15

If you select medium, events of severity medium and above are queried for. To view events of a
specific severity, select the corresponding value.
Select the Log type. Acknowledged gives you the events that are acknowledged. Unacknowledged gives
you the events that have not been acknowledged. Use All to view all the events.

• You can click the export icon to download all the events records to a CSV file.

• To Acknowledge or Unacknowledge the required event, click ... icon and select Acknowledge Event or
Unacknowledge Event from the list.

Note: If the total number of records exceed 25000 then only the most recent 25000 records will be
downloaded. You may choose to optimize the filter criteria and download the records to a CSV file.

Details view
You can view more details of an event by accessing ... icon and selecting Details View option. To
delete the event, you select the Delete Event option. Once you select Details View option, you will be
directed to a page having Events tab and Activity tab.
Events
A summary of all the activities related to the event is displayed under Events tab.

Following are the Actions which can be performed under Events:

• Delete Selected - use this option to delete the selected event.

• Delete Queried - use this option to delete the queried event.

• Acknowledge Selected - use this option to acknowledge the selected events.

• Unacknowledge Selected - use this option to unacknowledged the selected events.

• Acknowledge Queried - use this option to acknowledge the queried event.

• Unacknowledge Queried - use this option to unacknowledged the queried event.

• Export - use this option to export the event details to a csv file.

Attivo Cloud User Guide 247

15 Monitor your assets
Monitoring through the Events tab

Adding comment to an event

• You can add a note or comment for the selected event, which can be viewed by other users.

For example, you can add additional information about an event or leave a note for other users.

• When you comment an event, an information icon is displayed in the Description column for
that event. Mouse over the comment icon to view the comment.

• Click Show Comment to view the comment.

Activity
Under Activity tab, all the activities related to ADSecure-EP feature are listed.

The following table describes the fields and options present under Activity tab.

Field Description
Group By Select to group the events by Timeline, Process, and Source Hostname.
Time Select to sort the events by selecting Time as Hour, Day, Week, Month, and Year.
Filter By Filter the events by Query Type, OS, Protection Policy, Process Name, Publisher, and
Feature.
Log Type Sort the events by selecting the Log Type as Acknowledged, Unacknowledged. You can also
select All to sort the events by both Acknowledged and Unacknowledged.

248 Attivo Cloud User Guide

 Monitor your assets
Forwarding event and fault messages from EDN to syslog via CloudLink 15

Field Description
Sort By You can sort the events by First Seen or Last Seen.
Actions You can do the following activities for an event using the options under Actions drop-down:
Acknowledge Queried: use this option to acknowledge only the queried activity on the
endpoint.
Export CSV: use this option to export the data to a CSV file.
Delete Queried: use this option to delete only the queried activity on the endpoint.
Delete All: use this option to delete all the activities of the endpoint.

Note: The tabular view always defaults to Group By: Timeline and First Seen: Month. That is, the view
settings and filters you select are not preserved if you revisit the Activity tab under Events.

• For each of the record under Activity tab, using ... icon you can Add Allow Rule, Add Intercept
Rule, Acknowledge the activity, and Delete the record.

Following are the Actions which can be performed under Activity:

• Acknowledge Queried - use this option to acknowledge the queried event.

• Unacknowledge Queried - use this option to unacknowledged the queried event.

• Export CSV - use this option to export the event details to a csv file.

• Delete Queried - use this option to delete the queried event.

• Delete All - use this option to delete all the events.

Forwarding event and fault messages from EDN to syslog via

CloudLink
For Attivo Cloud, to forward events (alerts, warnings, and logs) and fault messages from EDN to syslog
server in your network, you need to create syslog profiles and configure the syslog server details in
Syslog Configuration page. While creating a syslog profile, you must provide the required details and
also the format to be used while sending the event and fault messages to syslog server. While
configuring a syslog server, you must select the corresponding syslog profile to be used.
Once you create the syslog profile and configure the syslog server, Attivo Cloud forwards the syslog
messages to Attivo CloudLink which in turn forwards it to the configured syslog server. Therefore,
ensure that you have installed Attivo CloudLink on an endpoint in your network, which has connectivity
to the required syslog servers. Recall that when you deploy Attivo CloudLink in your network, it acts as
the gateway between Attivo Cloud and your network resources such as Windows AD, SIEM applications,
syslog servers, and others. For more details, see Deploy Attivo CloudLink

Creating a syslog profile

You create a syslog profile to specify the severity of the events, format (CEF, CIM, LEEF) to be used
while forwarding the syslog messages and also to customize the details to be included in the event
information.
You need to add the below mentioned details in a syslog profile:
• Severity of the events to be forwarded.

• You can map Attivo Cloud severity with that of syslog standard (RFC 5424). So, the severity levels
reported by Attivo Cloud is consistent with the industry standard.

• Format (CEF, CIM, LEEF) for the syslog message.

Attivo Cloud User Guide 249

15 Monitor your assets
Forwarding event and fault messages from EDN to syslog via CloudLink

• If you use ArcSight, you can configure the Attivo Cloud to send the details as per ArcSight’s
Common Event Format (CEF). This applies to event information, fault information, and audit logs.

• If you use Splunk, you can configure the Attivo Cloud to send the details as per Splunk’s Common
Information Model (CIM). This applies to event information, fault information, and audit logs.

• If you use QRadar, you can configure the Attivo Cloud to send the details as per QRadar’s Log Event
Extended Format (LEEF). This applies to event information, fault information, and audit logs.

• Customize the details to be included in the event information.

• Enable/disable forwarding of events/fault messages/audit logs and the format for the same.

Note: You can also use a default syslog profile, if it matches your requirements.

Before you begin:

• You must deploy Attivo CloudLink in your network.
Steps:
1 In Attivo Cloud, click Configuration | Syslog.

2 Click Add in the Syslog Profiles section.

To view the content of a default syslog profile, click Details adjacent to the syslog profile record.

3 Enter a name, which enables you to identify the syslog profile.

You select the syslog profile in the syslog server record based on this name.

4 Attivo Cloud generates the syslog messages with value as Attivo for Vendor Name field. To replace
the string with a customized name, specify the required vendor name in the Vendor Name field. This
applies if you select to send the details as per the CEF format (in step 9).

5 The Attivo Cloud tags all the syslog messages with the string "Attivo Cloud:" to enable you to
identify Attivo Cloud messages in the syslog server. To replace the string with a customized name,
specify the required product name in the Product Name field.

Note: Attivo Cloud excludes the logs containing the product name when querying SIEM (configured as a
syslog server).

6 Make sure the Events Forwarding is set to enabled.

7 Select event severity as the criterion.

For example, if you select medium, the subsequent medium, high, and very high events are
forwarded.

Note:

• To send events based on configuration in the attack policy only, you can select Nothing Selected
as the severity criteria in the syslog profile.

• You can also configure the severity criteria for syslog in both the attack policy and in the syslog
profile. For example, you might want only high and very high events to be sent to syslog servers.
There is also a specific low severity event, which you want to be sent to the syslog servers. For this
example, select high as the severity in the syslog profile. In the attack policy, select Send to Syslog
for that particular low severity attack.

8 The Attivo Cloud severity of events is mapped with that of syslog severity (RFC 5424). So, the severity
levels reported by Attivo Cloud is consistent with the industry standard. If required, you can modify
the mapping. For example, medium is mapped to alert and low is mapped to warning. You can change
this mapping if required.

9 Choose the details to be included.

250 Attivo Cloud User Guide

 Monitor your assets
Forwarding event and fault messages from EDN to syslog via CloudLink 15

• Select Custom and re-order or change the parameters to be included. Click the required
parameter to include it. To remove a parameter, select the required parameter which is already
included and press Delete in the keyboard.

• If you use ArcSight, you can use the parameters to define the message and the format or choose
ArcSight’s Common Event Format (CEF).

Select Include Syslog Prefix to prefix timestamp (timestamp of when the event occurred) and
hostname (IP address of the management VM) details to the CEF message.

• If you use Splunk, you can use the parameters to define the message and the format or choose
Splunk’s Common Information Model (CIM).

• If you use QRadar, you can use the parameters to define the message and the format or choose
QRadar’s Log Event Extended Format (LEEF).

• Select the LEEF Version (1.0 or 2.0).

• (LEEF 2.0) Point to the info icon for information and specify an alternate delimiter to the
attributes.

• Select Include Syslog Prefix to prefix timestamp (timestamp of when the event occurred) and
hostname (IP address of the management VM) details to the LEEF message.

10 Optionally, enable Faults Forwarding.

• Select Custom to include the severity and description of the system fault.

• If you use ArcSight, you can send the severity and description or use the CEF.

Select Include Syslog Prefix to prefix timestamp and hostname details to the CEF message.

• If you use Splunk, you can send the severity and description or use the CIM.

• If you use QRadar, you can send the severity and description or use the LEEF.

• Select the LEEF Version (1.0 or 2.0).

• (LEEF 2.0) Point to the info icon for information and specify an alternate delimiter to the attributes.

• Select Include Syslog Prefix to prefix timestamp (timestamp of when the event occurred) and
hostname (IP address of the management VM) details to the LEEF message.

11 Optionally, enable Audit Logs Forwarding.

• Select Custom to include the description of the audit log.

• If you use ArcSight, you can send the description or use the CEF.

Select Include Syslog Prefix to prefix timestamp and hostname details to the CEF message.

• If you use Splunk, you can send the description or use the CIM.

• If you use QRadar, you can send the severity and description or use the LEEF.

• Select the LEEF Version (1.0 or 2.0).

• (LEEF 2.0) Point to the info icon for information and specify an alternate delimiter to the
attributes.

• Select Include Syslog Prefix to prefix timestamp (timestamp of when the event occurred) and
hostname (IP address of the management VM) details to the LEEF message.

12 Click Save.

Attivo Cloud User Guide 251

15 Monitor your assets
Forwarding event and fault messages from EDN to syslog via CloudLink

Configuring syslog server

To configure a syslog server, you must create a syslog server record and add a syslog profile. As per
the syslog profile, Attivo Cloud forwards the requested event and fault details to the syslog server.
If you require Attivo Cloud to forward the same details to multiple syslog servers, you can select the
corresponding syslog profile in those syslog server records.
Before you begin:
• You have a syslog profile to use in syslog server record you are about to create.
Steps:
1 In Attivo Cloud, click Configuration and select Syslog.

2 Click Add in the Syslog Server section.

3 Enter the details in the corresponding fields.

Field Description
Enabled Attivo Cloud forwards events to the syslog server only if this option is selected.
You can save the record with this option unselected and select it when required. Consider
your primary syslog server is down, and you need the syslogs to be sent to a temporary
server. Then, you can unselect this option for the corresponding record and enable it back
when the server is up.
Name Enter a name, which can easily identify the syslog server. For example, if the syslog server
is in your branch office, you can enter the branch name.
Profile Name Select the syslog profile to use.
Server Name / IP Enter the IPv4 address of the syslog server.
address
Port Enter the server-side port number for the syslog messages.
Protocol Select the required protocol.
To send the syslogs over SSL, select SSL. Client authentication is not supported for SSL.

Note: Make sure the inline network appliances are configured to allow this traffic.

Cancel Click to save the dialog box without saving the details.
Save & Test Click to see if the Attivo Cloud can communicate with the configured IP address over the
connection selected protocol and port number.
For example, if a firewall blocks this connection, the test connection fails.
For test connection, the Attivo Cloud uses the default syslog profile regardless of the one
you selected. For example, if the protocol is UDP, then Attivo_Default_UDP is used.

Syslog messages formats (CIM, CEF, LEEF)

The syslog message forwarded by EDN to syslog via CloudLink contains the field names followed by the
corresponding value. The following table provides details about the fields for Attivo Cloud specific, CIM,
CEF, and, LEEF formats.

Attivo specific CIM CEF LEEF Description

fields
Severity Severity Header Section Header Section Severity of the attack.
Attacker IP src_ip src src The IP address or host name of
the source of the event.
Target Host dest_host dest_host dstHostName The host name of the decoy VM,
which was targeted for the event.
Target IP dest_ip dst dst The IP address of the targeted
decoy VM.

252 Attivo Cloud User Guide

 Monitor your assets
Forwarding event and fault messages from EDN to syslog via CloudLink 15

Attivo specific CIM CEF LEEF Description

fields
Target OS dest_os dst_os dstOS The operating system of the
targeted decoy VM.
Description subject Header Section Header Section A high-level description of the
attack. In the Events page, this
information is displayed in the
Description column.
Some examples are below:
• SSHD authentication failed
• Common web attack
• User authentication failure
Details body cs2, msg msg The details of the attack traffic. In
the Events page, this information
is displayed in the Description
column within parenthesis.
Phase src_category cat cat Indicates the corresponding
attack phase as determined by
Attivo Cloud. The possible values
are: recon, access, MITM, exploit,
payload drop, C&C, or deceptive
credentials.
Service service service service The service on the decoy VM,
which was targeted by the attack.
VLANID VLANID vlan vlan VLAN ID discovered by Attivo
Cloud.
Forwarder forwarder forwarder forwarder The name of the forwarder VM.
Attacker IP Domain src_ip_domain shost srcIPDomain Domain name associated with the
attacker IP address.

Note: Displayed only if Reverse

DNS is enabled.

Target IP Domain dst_ip_domain dIPDomain dstIPDomain Domain name associated with the
target IP address.

Note: Displayed only if Reverse

DNS is enabled.

Attacker HostName src_hostname shost srcHostName Host name of the source of the
event.
Attacker MAC src_mac smac srcMAC MAC address of host of the source
of the event.
Attacker UserNames src_usernames suser usrName User names of source of the
event.
TargetIP List dest_ip_list dest_ip_list dest_ip_list The list of IP addresses from the
targeted decoy VM.
Target Ports dest_port dst_port_list dst_port_list The destination port of the
targeted decoy VM.
Target IP Ports dest_ip_port dest_ip_port dest_ip_port The destination IP port of the
targeted decoy VM.
Attivo AlertID id alertID Header Section ID of the event displayed in
Events page.
Source Device source_device_name source_device_name source_device_name Device name of the source of the
Name event.
Forwarder IP forwarder_ip forwarder_ip forwarder_ip The IP address of the forwarder
VM.
Dest UserName dest_username cs2,duser dstUserName User name of the targeted decoy
VM.
SubscriberName subscriberName subscriberName subscriberName Subscriber name of the targeted
decoy VM.

Attivo Cloud User Guide 253

15 Monitor your assets
Forwarding event and fault messages from EDN to syslog via CloudLink

Attivo specific CIM CEF LEEF Description

fields
VTSummaryResult VTSummaryResult VTSummaryResult VTSummaryResult Summary of the VirusTotal result.
WebRootReputation WEBROOTReputation WEBROOTReputation WEBROOTReputation Indicates the analysis reputation
of Webroot.
MITRE Technique ID mitreTechniqueid mitreTechinqueid mitreTechniqueid ID of the MITRE technique.
MITRE Technique mitreTechniqueName mitreTechniqueName mitreTechniqueName Name of the MITRE technique.
Name
MITRE Tactic Name mitreTacticName mitreTacticName mitreTacticName Name of the MITRE tactic.
Product app Header Section Header Section The custom product name that is
configured in the syslog profile.
All messages are tagged with
these names to enable you to
identify Attivo Cloud messages in
the syslog server.

By default, the Product name is

Attivo Cloud.
Vendor NA Header Section Header Section The custom vendor name that is
configured in the syslog profile.
All messages are tagged with
these names to enable you to
identify Attivo Cloud messages in
the syslog server.

By default, the vendor name is

Attivo.

Understanding the Endpoint report

You can access the endpoint report from Analysis | Endpoints | Activity.

The ADSecure-EP module of Attivo Endpoint Application gathers and sends the AD queries for reporting.
You can configure the reporting interval in the Global Settings of a protection policy. Attivo Endpoint
Application uses the management channel (TCP port 443) to send the AD queries to Attivo Cloud.

Item Description
1 Each entry in this report is based on 3 parameters:
• The process, which is the source of the query.
• The path where the process is installed.
• The publisher's name.

254 Attivo Cloud User Guide

 Monitor your assets
Forwarding event and fault messages from EDN to syslog via CloudLink 15

Item Description
2 One entry is created for all the queries that have the same values for the above 3
parameters. Every time this query is repeated, the query count is incremented.
3 The AD queries are classified under the following 3 categories:
• Console input - These are commands executed in Windows Command shell or
PowerShell. Examples are net commands and klist. If the Console Input Reporting
is set to All in the ADSecure-EP profile, then ADSecure-EP reports all commands
regardless of whether ADSecure-EP acted on the response or not. Therefore, even
commands executed by non-domain users may be reported.
• API calls: The API calls made by processes to query the AD fall under this category. An
API call is reported only if ADSecure-EP had acted on the response. For example, an
attacker uses BloodHound or Windows PowerShell cmdlets, which make an API call to
query the AD.

Note: Queries of type console input executed in Windows PowerShell are not reported if it
is a 32-bit PowerShell process running on a 64-bit Windows platform. For example, if you
execute klist on such a setup, the console input entry wherein the process is
powershell.exe is not reported. However, the API call entry for klist.exe is reported.

Note: On endpoints running Windows 7 and Windows Server 2008, ADSecure-EP reports
commands executed in Windows PowerShell only if the Windows PowerShell version is 3.0
and command history is enabled in Windows PowerShell.

Note: ADSecure-EP cannot block the traffic to AD Web services if PowerShell 7.0 is used.

Sections in the report

The ADSecure-EP report has 2 sections:
• Summary section: As the name suggests, the Summary section provides the executive summary of
the AD queries.

• Details section: The Details section provides all the information for each report entry.

By default, all the unacknowledged AD queries are displayed in both the sections of the ADSecure-EP
report.
Summary section
This section provides the executive summary of the AD queries.
TOP 5 Processes
The top 5 processes that are the source of the query are listed here.

Query Type
This graph shows the type of AD queries that and their number.

Attivo Cloud User Guide 255

15 Monitor your assets
Forwarding event and fault messages from EDN to syslog via CloudLink

Queries by Feature
This graph shows the queries for the features. Currently the queries are for ADSecure-EP.

EP count (%) - This is the count of endpoints that reported this AD query. For example, a count of 5
indicates that 5 endpoints associated with this ADSecure-EP profile reported this AD query. As
explained in the overview section, the percentage can be a cue to identify benign and malicious queries.
Refresh only refreshes the display. Attivo Endpoint Application sends the updates only at the
configured Reporting Interval.
Details section
The Summary section is a consolidated view of a particular AD query reported from all the endpoints.
Whereas, the Details section provides the details of each incident of an AD query.
From the Details section, you can identify the host name, the user, and the IP address of the source of
the AD query.
In the Details section, select whether you want to view all, acknowledged, or unacknowledged entries.
Also, modify the time period of the report if required.

Table 15-1 Field description of the Details section

Field Name Description
Host Name The computer name of the endpoint from which the AD query is reported.
User The user account who ran the corresponding process. In case of console input, a non-
domain user name is also possible.

256 Attivo Cloud User Guide

 Monitor your assets
Forwarding event and fault messages from EDN to syslog via CloudLink 15

Table 15-1 Field description of the Details section

Field Name Description
IP address All the network IP addresses on the endpoint are listed.
User The user who executed the query. If the AD query is executed in a different user context,
then the user context displays within parentheses. For example, if the logged on user is
jdoe and the AD query is executed as administrator, then the User column displays jdoe
(administrator). Therefore, if an AD query is executed with escalated privileges, you can
now also know the user context of that query.

Note: The user context is displayed only in the Details section of the report. In the
corresponding Event (in the Description) and when you export the report details to a CSV
file, only the logged on user is mentioned.

Elevated Indicates if the process was run with elevated privileges. Correlate with the value in the
User column to see the user context.
Binary/Process This column shows the process flow leading to the AD query. You can use this information
to correlate the AD queries and understand the attack further.
Following is the value shown in case of klist when executed from Command shell.
Here, klist.exe is the process that executed the AD query. The parent process of klist.exe
is cmd.exe. The parent process of cmd.exe is explorer.exe. The parent process of
explorer.exe is userinit.exe.
The process ID is in parentheses.
It is common for hacking tools to be renamed to avoid suspicion. In such cases, the original
file name is in parentheses along with the current name. For example, in this example,
adfind.exe is the original file name, which is renamed as find.exe.

Query Displays the details of the AD query.

Attackers can encode Windows PowerShell commands to avoid detection. In such cases,
ADSecure-EP displays the decoded command by default. To view the encoded command,
click the icon in the Query column. If you export the report to a CSV file, only the decoded
commands are included.
SHA2 The SHA2 value of the process.

Actions you can take in the report

• Add Allow rule: Select to add an Allow rule. This will take you to the exception policy page where you
can set an exception to this rule.

• Add Intercept rule: Select to add an intercept rule. This will take you to the intercept policy page
where you can add an intercept rule.
• Acknowledge: Select to hide entries in the report. To revert, filter for acknowledged entries and then
unknowledge the required entries. When you acknowledge in the Summary section, all the individual
entries in the Details section are also hidden.

• Delete: Similar to Acknowledge but the entries are purged permanently.

• Delete: Delete all the entries permanently.

Attivo Cloud User Guide 257

15 Monitor your assets
Forwarding event and fault messages from EDN to syslog via CloudLink

258 Attivo Cloud User Guide

16 Configuring reports

Reports configuration in Attivo Cloud allows you to customize the report content as per your
requirement and generate the report either instantly or schedule it to generate later at specific
intervals.
You can customize the content of a report as mentioned below:
• Select the report type: Executive or Events Details.

• Products and the features for which you want to generate the report.

• Set the report format and the frequency at which the report has to be generated.

• Optionally set the delivery options.

Report types
Executive summary: In this report, your organization’s executive team can view the summarized
threat details detected by the various features of Attivo Cloud. Your executive team can quickly figure
out the most common threats and IT-related details. This report provides the details of events
generated by Attivo Cloud, discovered network details, and ThreatPath.
• Events section summarizes the top threat-detection events. Information in this section includes the
top 25 events based on the configured severity, the top 10 compromised systems, the top 10 attacks
detected, the top 10 services targeted, the top 10 operating systems targeted, and count of attacks
per attack phase.

• Networks section summarizes the devices discovered by Attivo Cloud in the network. Information in
this section includes the top 10 operating systems detected, the top 10 devices detected, and the 10
most recently discovered endpoints, which came onto your network for the first time.

• ThreatPath section summarizes the detected lateral movement paths and vulnerabilities (mis-
configurations) on endpoints. It includes the number of paths per exposure type as well as number
of paths per critical path rule. It also summarizes the count for each vulnerability detected on your
network endpoints.

• For example, you create two reports; one just for events and another for network details. You can
schedule the event report to be generated and configure Attivo Cloud to email it to your network
security executives. Similarly, you can schedule the network report to be generated and email to
your network executives.

• If you select ThreatPath in the executive summary report, then a bar chart displaying the number of
paths per exposure type is included. A separate bar chart is included for critical paths. Also included
is the summary of misconfigurations discovered on endpoints as per the vulnerability policy.
Events details: This report contains the details of the events matching the filter criteria specified by
you. The data in the report is also sorted by the selected field and in the order (Ascending or
Descending) selected by you. You can view the following information:
• Event filter - Displays the filters based on which the report is generated.

• Events sorted by - Displays the field and the order by which the data is sorted.

Attivo Cloud User Guide 259

16 Configuring reports

• Event details- Displays the events details for the selected fields.

Creating / adding a report

A report is a record in which you define / customize the details to be generated as part of the report.
Steps:
1 Click Configuration and select Reports.

Reports page is displayed.

2 Click Add.

Add Report page is displayed.

3 Enter a name for the report in the Report Name field.

4 Enter a description about the report in Description field.

5 Under Report Content section, add the details in the corresponding fields:

a In Report Type field, select the required report type (Executive Report or Events Details).

b In Product and Features field, select the required products and features (example: ADAssessor,
EDN features)

c In Severity field, select the required severity (Low / Medium / High / Very High).

d In Time Period field, select the required time period (interval) at which the report has to be
generated (Hour / Day / Week / Month / Year).

6 Under Format and Frequency section, add the details in the corresponding fields:

a In Frequency field, select the the required frequency (On-demand, Scheduled)

• On-demand - Selecting this option and saving the report will generate the report immediately.

• Scheduled - Selecting this option and saving the report will generate the report as per the time
period configured under Time Period field.

Note: If you select the Scheduled option, then you must enable the Enable Scheduler option and
select the Time Period and then select the time stamp in Starts field.

7 Under Delivery Options section, enter the email id to which the report must be sent in the Email
Addresses field. If you want to send the report to multiple recipients then you must enter all the
email ids and each email id must be separated by a comma.

8 Click Save and Run to generate the report immediately, else click Save to just save the report.

Generating a report
Once you add / create a report, you can generate it immediately if required. If you have configured the
time period for the report then the report will be generated later as per the specified time period.
Steps:
1 Click Configuration and select Reports.

Reports page with the list of reports is displayed.

2 Select the required report and click Generate.

Selected report is generated in the configured format and the file is downloaded.

260 Attivo Cloud User Guide

 Configuring reports
16

Downloading reports
You can download the reports individually or in bulk.
Steps:
1 Click Configuration and select Reports.

Reports page with the list of reports is displayed.

2 Click Download Reports button.

3 Downloads window with the list of all the reports is displayed.

4 Click the required report you want to download.

The selected report is downloaded in the file format configured in the report.

Editing a report
You can modify an existing report as per your requirement.
Steps:
1 Click Configuration and select Reports.

Reports page with the list of reports is displayed.

2 Select the report you want to edit and click Edit button.

Edit Report page is displayed.

3 Modify the details as per your requirement and click Save button.

Deleting a report
You can delete an existing report which is not required further.
Steps:
1 Click Configuration and select Reports.

Reports page with the list of reports is displayed.

2 Select the report you want to delete and click Delete button.

The selected Report page gets deleted.

Attivo Cloud User Guide 261

16 Configuring reports

262 Attivo Cloud User Guide

17 Attivo Cloud maintenance activities

Viewing system faults

An indicator in the Attivo Cloud UI shows if there any faults in your subscription that might need your
attention. For example, these faults can be due to failed configuration setting like a syslog or AD server
becoming unreachable to Attivo Cloud. A fault can also result due to a failed operation, like when one of
the assessments by ADAssessor failed. You can click on this indicator to go to the Fault Logs page or go
to Configuration | System | Fault Logs.

No faults
When there are no faults, the indicator is displayed in green.

Warning faults
When the indicator displays in yellow, it indicates a warning; that a medium-severity fault has occurred
requiring your attention.

Critical faults
When the indicator displays in red, it indicates that there is some critical fault. It means that, some
critical feature or module is not functioning and requires your immediate attention.

Opening the faults in System faults page

• You can click on the system status indicator to open the System Faults page, wherein the current
fault messages are listed. The fault messages provide you the required information to troubleshoot
and correct the issues.

• Fault messages can be of 3 types – critical, warning, or informational. The informational messages do
not correspond to any faults. For example, an informational message can correspond to a
configuration process in progress.

Attivo Cloud User Guide 263

17 Attivo Cloud maintenance activities
Viewing system faults

Note: When you rectify an issue or if the issue gets rectified automatically, then the corresponding fault
message is also deleted automatically. You cannot view this fault message again until the issue occurs
again.

• You can acknowledge those fault messages, which you do not want to be listed by default. To view
this fault message again, you need to set the filters as All as below.

• You can also unacknowledge a fault message. However, if the fault is rectified, the corresponding fault
message is also deleted regardless of whether the fault message is acknowledged or unacknowledged.
Steps:
1 Click Configuration and select System | Fault Logs. You can also click on the system status
indicator.

• By default, the System Faults page displays the unacknowledged fault messages.

• Click Refresh to view the current faults.

• The Summary section displays the summary of unacknowledged fault messages and total number
of fault messages (acknowledged and unacknowledged).

• Click on the number to view the corresponding fault messages.

• The Severity section displays the number of unacknowledged faults based on the severity.

• The Severity section does not factor in the acknowledged faults. You can click on the number
to view the corresponding fault messages.

• Use the lists and the Search box to filter the fault messages.

264 Attivo Cloud User Guide

 Attivo Cloud maintenance activities
Audit logs 17

2 Select the required fault messages and click on Acknowledge or Unacknowledge button as per
your requirement.

3 Select the required fault messages and click Delete to permanently delete the fault messages.

4 The fault message is not displayed when the fault gets resolved. If the same fault reappears at a
different point in time, then the fault message is displayed again.

Audit logs
Audit Logs show any configuration changes made in Attivo Cloud. The log provides details such as the
user name using which the change/operation is initiated, operation performed (add/update/delete),
operation status (success/failure), feature name on which the operation is performed, and log message
description.
Example:
• Username:admin, Operation:Update, Result:Success, Module:Whitelist, Description: Successfully
saved the whitelist configurations.

• This indicates that user ‘admin’ made changes to the Whitelist.

• Username:admin, Operation:Login, Result:Success, Module:Authentication,

Description:Authentication Type:LOCAL. User [admin] logged in successfully from IP:10.xx.xx.x

This indicates that a local admin user logged in successfully from IP 10.xx.xx.x.

Viewing audit logs

You view the Audit logs in the Audit Logs page.
• Click Configuration and select System | Audit Logs.
Audit Logs page is displayed.

• By default, the audit logs are listed in the reverse chronological order. You can sort the audit logs
based on the Timestamp. Click on the column heading to sort the audit logs in the ascending or
descending order.

• Up to 20 audit logs are displayed per view. You can click on the corresponding view number to go
to the corresponding list of logs.

• Click the Refresh button to refresh the Audit Logs page.

Attivo Cloud User Guide 265

17 Attivo Cloud maintenance activities
Audit logs

• To locate specific audit logs, enter a string in Quick Find search box and press Enter. Audit logs
which contain this string are displayed.

• To remove the search criteria, delete the search string and press Enter.

• To delete all the audit logs permanently, click Delete All and click OK to confirm.

266 Attivo Cloud User Guide