Tokens (ADS - Tokens)
This article provides information on using Active-Defense-Service (ADS) Tokens that can help you defend your network.
Overview
Active Defense Service (ADS) Tokens are the kind of traps that are positioned in a system or in a network with attractive names in the form of Documents (Word, Excel, PDF), Folders, etc, waiting for cyber criminals to access them, reveals the information that is required to help identify where the respective ADS token was triggered.
These Tokens are much similar to Active Defense Services (ADS) in terms of usage. However, ADS Services like SSH, Mysql, Telnet, and others are deployed as decoy services within the network, which cyber-criminal may interact with and eventually raise a red flag.
Types of ADS-Tokens
As part of the beta release, BluSapphire offers the following types of Active Defense Service (ADS) Tokens that can be positioned in a system or network:
Generates HTTP-based URL token, that can be embedded inside a document or a webpage. Uses HTTP Channel for communication.
Generates a javascript snippet for the specified domain, that should be placed on the webpage or the portal page, notifying if someone clones the webpage and hosts it on another domain. Uses HTTP Channel for communication.
Generates a word document embedded with a token, notifying if someone opens the embedded word file. Uses HTTP Channel for communication.
Generates an excel document embedded with a token, notifying if someone opens the embedded excel file. Uses HTTP Channel for communication.
Generates a windows registry file for the specified windows command embedded with a token, that needs to be imported onto the target end-point. Uses DNS Channel for communication.
Generates PDF document embedded with a token, notifying if someone opens the embedded pdf file. Uses DNS Channel for communication.
Generates Windows Folder embedded with a token, notifying if someone accesses the specified folder or directory. Uses DNS Channel for communication.
Web-Based URL Token
This is a generic URL token that is generated and can be embedded it as a 1x1 image inside a document, webpage, etc. Alerts are generated upon opening/accessing the document, with the information from where the token was triggered.
Usage Examples:
Embed the token in documents with attractive filenames and position in a system, or network file share.
Embed in webpages that can only be found via brute forcing.
Cloned Web Token
One of the widely used attack vectors by cyber-criminals is Phishing, which involves:
Clone web login portals of the target organizations
Host the cloned webpage in an attacker-controlled environment
Initiate a campaign that serves the cloned login portal to users, thereby tricking them to provide access credentials.
Cloned Web Token can detect such activities by alerting you whenever someone clones your website and hosts it on a different domain.
This generates a JavaScript code snippet with a token that should be placed within the JavaScript tags of your website or employee login portal page.
Note: As the generated JavaScript code snippet is user-readable, moreover cyber-criminals would usually go through the cloned code and remove unwanted code before hosting them on another domain. So, it's recommended to obfuscate the generated JavaScript code snippet using JavaScript obfuscator before placing them on the website.
Microsoft Word
This generates a Microsoft Word document that is embedded with the token, which is triggered when someone opens the word document.
Once the token is generated, rename the file to something that looks juicy and attractive enough, so the cyber-criminals can attempt to open it - something like employee_salaries.docx, client_access.docx, network-layout.docx, proposals.docx, etc.
Idle placement for this MS Word Token would be network file shares, or on the web server (or) use the generated token files in combination with ADS - LIADS SMB Service, make them accessible via LIADS SMB network-share.
Microsoft Excel
This generates a Microsoft Excel document that is embedded with the token, which is triggered when someone opens the excel document.
Once the token is generated, rename the file to something that looks juicy and attractive enough, so the cyber-criminals can attempt to open it - something like employee_salaries.xlsx, employee_info.xlsx, client_access.xlsx, proposals.xlsx, etc.
Idle placement for this MS Excel Token would be network shares, or on the web server (or) use the generated token files in combination with ADS - LIADS SMB Service, making them accessible via LIADS SMB network-share.
Sensitive Command Execution
This Token helps detect the execution of sensitive built-in windows commands like whoami.exe, net.exe, wmic.exe, etc (or) attacker tools like mimikatz.exe, wce.exe, etc on the host.
This technique makes use of the windows registry key for monitoring command executions and generates an alert when someone executes a specific command that’s been monitored by the token.
Generated registry file must be imported onto the host with admin privileges, when someone runs the command, an alert gets generated with information on where the command was executed, the host, and the user invoking the command.
PDF Document
This generates a PDF document that is embedded with a DNS token, DNS lookup on a unique address is initiated when someone opens the PDF document which further triggers an alert.
Once the token is generated, rename the file to something that looks juicy and attractive enough, so the cyber-criminals can attempt to open it - something like network_layout.pdf, employee_info.pdf, client_accessInfo.pdf, proposals.pdf, etc.
Idle placement for this PDF document Token would be network shares, or on the web server.
Windows Directory
This generates a zip file, containing a directory/folder with a hidden token file. This initiates a DNS lookup when someone browses to the tokened directory which eventually raises an alert.
Download the zip file with the token “desktop.ini” file, create a folder on the windows host and place the generated “desktop.ini” file in it. Ensure the folder names looks juicy enough, so the cyber-criminals can attempt to access them - something like client_info, employee_info, backups, policies, etc.
Last updated