search cancel

Credential Theft using Overpass-The-Hash alert is not generated in an upgraded SEPM integrated with TDAD

book

Article ID: 175536

calendar_today

Updated On:

Products

Endpoint Protection Endpoint Threat Defense for Active Directory

Issue/Introduction

When testing Symantec Endpoint Threat Defense for Active Directory (TDAD) with integration to a Symantec Endpoint Protection Manager (SEPM) using a Credential Theft using Overpass-The-Hash method no alert is generated in the SEPM for the action.

Cause

The test client is not recognized as managed by the associated SEPM.

Resolution

For generating this alert it is mandatory to have the name of the SEPM Management server which is connected to the client be the same as the Machine hostname, which should also be reflected on the SEPM server certificate that is used to Register the SEPM with TDAD Core Console.

If the client is connected to a SEPM which has a different Management server name than the Machine hostname, then that SEPM needs to be reconfigured to change its Management server name to match the hostname by following the below steps:

  1. Start the SEPM's Management Server Configuration Wizard
  2. Change the Management server name so that it is the same as the SEPM machine's hostname
  3. Ensure the client is connected to the same SEPM
  4. Generate a Credential Theft using Overpass-The-Hash alert on the client