You need to know some sample commands or scripts that you can run to ensure the Threat Defense for Active Directory (TDAD) feature is detecting what it is supposed to.

Component: TDAD cloud

With the cloud version you can check a few things to ensure that it's deployed and active. If your policy is configured to "Run in Monitor or Audit Mode Only" then there will be less to see on the endpoint.

First, you can check that the obfuscation mask has been applied on an endpoint that is in a device group with the TDAD policy applied. From a command prompt use the following commands to check for obfuscation:

• net group /dom "domain admins"
• net group /dom "domain computers"

Both of these commands should return "masked" output which contains a mix of real and fake objects.

Next, from the list of computers select 4 fake objects and ping each one. After the third, if the policy is enforced and Mitigate Suspicious Processes is enabled, the active shell will no longer permit most commands. In addition, alerts and an incident will be generated in the cloud console. Look for events like "Deception Lateral Movement" and an incident of "TDAD Domain Computer Ping Scan ...".

Other tests you can run:

• runas /u: <Your Domain>.com\<Fake User> notepad.exe
      (Any password may be entered at the prompt.)
  
  
• net use z: \\<Your DC Name>\C$ /user: <Your Domain>.com\<Fake User> <password>
  
  
• dir \\<Fake Computer>\c$

See the on-prem product guides at Endpoint Threat Defense for Active Directory Documentation (broadcom.com) for more suggestions.