BluSapphire
  • 01_Introduction
  • 02_Unified Cyber Defense Platform
  • 03_The Stack
  • 04_Features and capabilities
  • 05_Operations
  • 06_Architecture
    • Architecture - Version 3
    • Architecture - Version 4
  • 07_Integration
    • Cisco pxGrid Integration
    • Threat Intel Sources
  • 08_Use cases
    • SIGMA Rules
      • SIGMA Detection Attributes
      • Understanding SIGMA Rule
      • Creating SIGMA Rule
  • 09_CaseHub
    • Events
    • Cases
      • Case-Templates
    • Event-Rules
    • Reflex Query Language (RQL)
    • Input Configuration
      • Credentials
      • Agents
      • Field Templates
  • 10_Active-Defense-Services
    • Services (ADS - LIADS)
      • Network Services
      • Database Services
      • Web-Apps
    • Tokens (ADS - Tokens)
  • 11_Data-Pipeline-Manager (DPM)
    • Basic Concepts
    • Getting Started
  • 12_Deployment / Log Forwarding
    • Log Forwarding (on-prem) - How To
      • Fortimanager
      • Fortinet
      • Cisco ASA with FirePOWER services
      • Cisco ASA
      • Cisco VPN 3000 Concentrator
      • Cisco IOS Switch
      • Cisco ASA using ASDM
      • Cisco Router
      • Cisco Sourcefire
      • Cisco Ironport
      • Cisco Nexus Switch
      • Cisco VPN Concentrator
      • NetScreen Firewall
        • Configure/Enable Syslog Messages for Netscreen Firewall device using CLI Console:
      • Palo Alto Firewalls
        • Configure Syslog Monitoring
        • Configure a Syslog server profile
        • Create a log forwarding profile
        • Configure security policy rule action as log forwarding
        • Configure syslog forwarding for System, Config, HIP Match, and Correlation logs
      • Juniper
        • Using J-Web
        • Using CLI
        • Using J-Web
        • Using CLI
        • Configuring to send Syslog Messages directly from Sensor
      • Sonicwall
        • Configuring SonicWALL To Direct Log Streams
        • Configuring SonicWALL Logging Level
      • Checkpoint
        • R80.20
        • R80.10
        • R77.30
      • Blue Coat Proxy Logs
        • To Forward Blue Coat Logs Using Web Interface
        • To Forward Blue Coat Proxy Logs Using CLI
      • Tipping Point
      • FireEye
        • To Forward Fireeye NX Alert Logs
      • UBUNTU
      • CENTOS-RHEL
      • Citrix Access Gateway
      • SYMANTEC AV
      • DarkTrace
      • Nutanix
      • SAP
      • Cisco Meraki Firewall
      • Zoho Vault Integration
      • Zoho Analytics Integration
      • Sophos EDR Integration
      • PowerDMARC Integration
      • Perception Point Integration
      • MS Intune Integration
      • AWS-Cloudtrail & AWS-Cloudwatch integration
      • Dell PowerEdge Log Integration
      • HPE ProLiant DX380 Gen10 Log Integration
      • Lenovo ThinkSystem SR650 Log Integration
      • Aruba-3810M-L3 Switch
      • Cisco HX220C-M5SX Log Integration
      • Aruba-6200F-48-Access Switch
      • Brocade & Ruckus Switch Log Integration
      • Cavera L2 Switch Log Integration
      • CentOS & RHEL Log Integration
      • Cisco L2 Switch Log Integration
      • Cisco L3 Switch Log Integration
      • Dell EMC Switch Log Integration
      • Dell Powervault ME4 & ME5 Series Log Integration
      • HCI_CISCO_HX 240C_M5SX_CIMS(Intersight)
      • IBM AIX Log Integration
      • IBM Storwize Log Integration
      • Lenovo L2 Switch Log Integration
      • Lenovo Think System Storage Log Integration
      • lenovo_think_system_manager_851
      • Netgear M4300 Switch Log Integration
      • Net Gear Ready NAS 314 & Net Gear Ready NAS 428
      • qnap storage log integration
      • Ruckus SmartZone 100 Wi-Fi Controller Log Integration
      • Seqrite Endpoint Security 7.6 Log Integration
      • Suse log integration
      • Ubuntu log integration
      • Vcenter log integration
      • Microsoft SQL DB integration
      • Vios log integration
      • Cisco SF/SG 200 & 300 Series Switches
      • oracle db integration
      • lenovo thinksystem storage
      • F5 BIG-IP Load Balancer (11.x - 17.x)
      • Seqrite 76
      • Seqrite 82
      • Aruba switch log integration
      • Windows FIM
        • FIM Integration with GPO
        • FIM Integration without GPO
      • Sophos Firewall
        • Sophos XG Firewalls Syslog
          • Netflow Configuration To Verify
      • SAP
      • Integrating Forcepoint Web Proxy (or) Email Security
      • MicroAgent - Winlogbeat & Sysmon
        • Deploy Micro-Agent/Sysmon via GPO
        • MicroAgent manual installation
      • Microsoft’s IIS Integration
      • vios log integration
      • aruba switch log integration
      • oracle db integration
      • Cisco SF/SG 200 & 300 Series Switches
      • microsoft sql db integration
      • seqrite 82
      • seqrite 76
      • List of Supported Log Sources
        • 17.x)
    • Cloud Log Forwarding
      • Azure Sentinel
      • AWS Cloud Logs
        • Collecting CloudWatch Logs
        • Collecting Cloudtrail Logs
      • Configuring Mimecast for Log Collection via API
      • Cisco Umbrella
      • Cisco Duo
      • Cisco AMP
      • Cisco CES
      • SOPHOS AV
      • CROWDSTRIKE
      • Microsoft Defender ATP
        • Enable SIEM integration in Microsoft Defender ATP
        • Assign permissions to the WindowsDefenderATPSiemConnector application
    • BluArmour Pre-Deployment Checklist & Roll out Process
    • Deploy BluArmour via SCCM
    • BluGenie GPO for Service Account, WinRM and WMI
    • Mirror / SPAN port configuration
    • Average LogSize by LogSource
    • Windows Package Installation
    • Linux Package Installation
  • 13_MITRE ATT&CK
    • MITRE ATT&CK Coverage by Tactic
    • MITRE ATT&CK Coverage by Technique
    • Rules mapping - MITRE ATT&CK
  • 14_BluArmour Endpoint Protection
    • BluArmour For ICS / AirGapped Networks
  • 15_BluGenie
    • Manual
    • How To Guides
      • BluGenie Intro
      • How To Run
      • How to Use Help
      • Running Localhost & Remote commands
      • Get-BluGenieChildItemList
      • Invoke-BluGenieYara
    • Enable-BluGenieWinRMoverWMI
  • 16_Best Practices
    • Windows Logging Recommendations
      • Windows Security Log recommendations
      • Windows General Log Recommendations
      • Windows Advanced Auditing Recommendations
    • Lateral Movement Logging Recommendations
    • Best Data Sources for Detection
    • Cloud Incident Readiness
  • 17_Threat Hunt
  • 18_Taxonomy
    • Categories
    • Web Security Gateway
    • Cloud AWS
    • Windows
    • Linux
    • Endpoint Detection
    • NGFW (Firewalls)
    • Email Gateway Security
    • Network Access Control
    • Auth (IDAM)
    • Alert Data
    • Web Security Gateway
    • Endpoint Protection
    • DHCP
    • Cloud AWS
    • Wireless Access Controllers
    • Windows
    • Load Balancers (LB)
    • Linux
    • Active Defence (Deception)
  • 19_Product Videos
  • 20_M-SOC_Self Service Portal
    • Registering as a Customer (Regulated Entity)
    • Digital Contract Signing Process
      • RACI Matrix
    • Updating Billing Information
    • Updating Escalation Matrix
    • Manage Users and Roles
    • Windows Package Installation
    • Linux Package Installation
    • RPM Package Installation
    • Frequently Asked Questions (FAQ)
    • Default Log Collection
    • Incident Management Workflow(M-SOC only)
    • Troubleshooting Installs
    • MACOS Package Installation
  • Customer Self Service Portal
    • Registering as a Customer
    • Registering as a Partner
    • Digital Contract Signing Process
    • Updating Billing Information
    • Updating Escalation Matrix
    • Manage Users and Roles
    • Windows Package Installation
    • Linux deb Package Installation
    • Linux rpm Package Installation
    • Frequently Asked Questions (FAQ)
    • Default Log Collection
    • Troubleshooting Installs
  • Appendix A
  • 21_Incident Response
    • Cloud Incident Readiness
Powered by GitBook
On this page
  • Overview
  • Types of ADS-Tokens
  • Web-Based URL Token
  • Cloned Web Token
  • Microsoft Word
  • Microsoft Excel
  • Sensitive Command Execution
  • PDF Document
  • Windows Directory
  1. 10_Active-Defense-Services

Tokens (ADS - Tokens)

This article provides information on using Active-Defense-Service (ADS) Tokens that can help you defend your network.

Overview

Active Defense Service (ADS) Tokens are the kind of traps that are positioned in a system or in a network with attractive names in the form of Documents (Word, Excel, PDF), Folders, etc, waiting for cyber criminals to access them, reveals the information that is required to help identify where the respective ADS token was triggered.

These Tokens are much similar to Active Defense Services (ADS) in terms of usage. However, ADS Services like SSH, Mysql, Telnet, and others are deployed as decoy services within the network, which cyber-criminal may interact with and eventually raise a red flag.

Types of ADS-Tokens

As part of the beta release, BluSapphire offers the following types of Active Defense Service (ADS) Tokens that can be positioned in a system or network:

Token Type
Description

Generates HTTP-based URL token, that can be embedded inside a document or a webpage. Uses HTTP Channel for communication.

Generates a javascript snippet for the specified domain, that should be placed on the webpage or the portal page, notifying if someone clones the webpage and hosts it on another domain. Uses HTTP Channel for communication.

Generates a word document embedded with a token, notifying if someone opens the embedded word file. Uses HTTP Channel for communication.

Generates an excel document embedded with a token, notifying if someone opens the embedded excel file. Uses HTTP Channel for communication.

Generates a windows registry file for the specified windows command embedded with a token, that needs to be imported onto the target end-point. Uses DNS Channel for communication.

Generates PDF document embedded with a token, notifying if someone opens the embedded pdf file. Uses DNS Channel for communication.

Generates Windows Folder embedded with a token, notifying if someone accesses the specified folder or directory. Uses DNS Channel for communication.

Web-Based URL Token

This is a generic URL token that is generated and can be embedded it as a 1x1 image inside a document, webpage, etc. Alerts are generated upon opening/accessing the document, with the information from where the token was triggered.

Usage Examples:

  • Embed the token in documents with attractive filenames and position in a system, or network file share.

  • Embed in webpages that can only be found via brute forcing.

Cloned Web Token

One of the widely used attack vectors by cyber-criminals is Phishing, which involves:

  • Clone web login portals of the target organizations

  • Host the cloned webpage in an attacker-controlled environment

  • Initiate a campaign that serves the cloned login portal to users, thereby tricking them to provide access credentials.

Cloned Web Token can detect such activities by alerting you whenever someone clones your website and hosts it on a different domain.

  • This generates a JavaScript code snippet with a token that should be placed within the JavaScript tags of your website or employee login portal page.

Microsoft Word

This generates a Microsoft Word document that is embedded with the token, which is triggered when someone opens the word document.

  • Once the token is generated, rename the file to something that looks juicy and attractive enough, so the cyber-criminals can attempt to open it - something like employee_salaries.docx, client_access.docx, network-layout.docx, proposals.docx, etc.

  • Idle placement for this MS Word Token would be network file shares, or on the web server (or) use the generated token files in combination with ADS - LIADS SMB Service, make them accessible via LIADS SMB network-share.

Microsoft Excel

This generates a Microsoft Excel document that is embedded with the token, which is triggered when someone opens the excel document.

  • Once the token is generated, rename the file to something that looks juicy and attractive enough, so the cyber-criminals can attempt to open it - something like employee_salaries.xlsx, employee_info.xlsx, client_access.xlsx, proposals.xlsx, etc.

  • Idle placement for this MS Excel Token would be network shares, or on the web server (or) use the generated token files in combination with ADS - LIADS SMB Service, making them accessible via LIADS SMB network-share.

Sensitive Command Execution

This Token helps detect the execution of sensitive built-in windows commands like whoami.exe, net.exe, wmic.exe, etc (or) attacker tools like mimikatz.exe, wce.exe, etc on the host.

  • This technique makes use of the windows registry key for monitoring command executions and generates an alert when someone executes a specific command that’s been monitored by the token.

  • Generated registry file must be imported onto the host with admin privileges, when someone runs the command, an alert gets generated with information on where the command was executed, the host, and the user invoking the command.

PDF Document

This generates a PDF document that is embedded with a DNS token, DNS lookup on a unique address is initiated when someone opens the PDF document which further triggers an alert.

  • Once the token is generated, rename the file to something that looks juicy and attractive enough, so the cyber-criminals can attempt to open it - something like network_layout.pdf, employee_info.pdf, client_accessInfo.pdf, proposals.pdf, etc.

  • Idle placement for this PDF document Token would be network shares, or on the web server.

Windows Directory

This generates a zip file, containing a directory/folder with a hidden token file. This initiates a DNS lookup when someone browses to the tokened directory which eventually raises an alert.

  • Download the zip file with the token “desktop.ini” file, create a folder on the windows host and place the generated “desktop.ini” file in it. Ensure the folder names looks juicy enough, so the cyber-criminals can attempt to access them - something like client_info, employee_info, backups, policies, etc.

PreviousWeb-AppsNext11_Data-Pipeline-Manager (DPM)

Last updated 2 years ago

Note: As the generated JavaScript code snippet is user-readable, moreover cyber-criminals would usually go through the cloned code and remove unwanted code before hosting them on another domain. So, it's recommended to obfuscate the generated JavaScript code snippet using JavaScript before placing them on the website.

obfuscator
Web-Based URL Token
Cloned Website
Microsoft Word
Microsoft Excel
Sensitive Command Execution
PDF Document
Windows Directory