The mask is not displayed with TDAD on-premises and Windows 10 / 11 (version 22H2)
search cancel

The mask is not displayed with TDAD on-premises and Windows 10 / 11 (version 22H2)

book

Article ID: 278216

calendar_today

Updated On:

Products

Endpoint Threat Defense for Active Directory

Issue/Introduction

After updating to or installing Windows 10 / 11 (version 22H2), you do not see the obfuscation mask displayed when running reconnaissance commands on an endpoint.

Environment

TDAD Integrated and Standalone versions: 3.6.2.4, 3.6.2.6, and 3.6.2.8
Windows 10 / 11 (version: 22H2)

Cause

TDAD On-premises has not been updated to support newer OSs such as Windows 10 / 11 (version 22H2) and later. Because of this, memory injection will not work, and the mask is not displayed.

Resolution

  1. Update OS support with a new OSConfig.dat file:

    1. Download the updated OsConfig.dat from the article, below
    2. Open the IIS (Internet Information Services) Manager
    3. Select the top-level website hosting TDAD
    4. In the Actions pane under Manage Server click Stop
    5. Open a File Explorer to: C:\Program Files\Symantec\Endpoint Threat Defense for AD\dm_pub\Traps\genFake\ExtraSections
    6. Save a backup copy of OsConfig.dat (it can be removed later when the new file is confirmed working)
    7. Copy the new OsConfig.dat over the existing one
    8. Return to the Actions pane in the IIS Manager and click Start to bring the website back up
    9. Open the TDAD UI (https://<tdad_server>/ui/login) and log in with an Administrator-level account
    10. For TDAD Standalone: Follow the steps in Windows 10 21H1 undeployable on TDAD 3.6.2 standalone (broadcom.com) to allow deployment from the console
    11. Go to Settings -> AI
    12. Update the obfuscation to rebuild files for the endpoints
      1. Click Edit
      2. Select the domain
      3. Click Next 3 times
      4. Change the multiplication factor
      5. Click Next and Save
      6. Wait for AI to complete
    13. Repeat step 11 and set multiplication factor back to the original value
    14. Click Re-Run AI Learning
    15. Select the domain
    16. Click Re-Run
    17. Re-deploy to endpoints
      1. TDAD Integrated:
        1. Reboot SEPM machine
        2. Log in to the SEPM
        3. Check the policy serial number on the relevant group(s)
        4. Ensure the SEP policy serial number has updated on client machines and reboot them
              (You can wait for the next heartbeat, or force a heartbeat from the client's tray icon)
      2. TDAD Standalone:
        1. If a label is assigned to the endpoint's OU, the deployment should be automatic.
        2. If labels are assigned to specific endpoints, assign the label to those endpoints which have not been previously deployed.
    18. Reboot the endpoints to ensure the updated OS support is applied
    19. Confirm the mask is displayed when running recon commands

NOTE: This process is required to continue using obfuscation masking in an environment where Windows 10 / 11 are upgraded to 22H2. However, the same updated OSConfig.dat file doesn't support Windows 11 22H2 and later versions.

Additional Information

CRE-16611

Attachments

OsConfig.dat get_app
Powered by Wolken Software