Tokens (ADS - Tokens)

This article provides information on using Active-Defense-Service (ADS) Tokens that can help you defend your network.

Overview

Active Defense Service (ADS) Tokens are the kind of traps that are positioned in a system or in a network with attractive names in the form of Documents (Word, Excel, PDF), Folders, etc, waiting for cyber criminals to access them, reveals the information that is required to help identify where the respective ADS token was triggered.

These Tokens are much similar to Active Defense Services (ADS) in terms of usage. However, ADS Services like SSH, Mysql, Telnet, and others are deployed as decoy services within the network, which cyber-criminal may interact with and eventually raise a red flag.

Types of ADS-Tokens

As part of the beta release, BluSapphire offers the following types of Active Defense Service (ADS) Tokens that can be positioned in a system or network:

Web-Based URL Token

This is a generic URL token that is generated and can be embedded it as a 1x1 image inside a document, webpage, etc. Alerts are generated upon opening/accessing the document, with the information from where the token was triggered.

Usage Examples:

  • Embed the token in documents with attractive filenames and position in a system, or network file share.

  • Embed in webpages that can only be found via brute forcing.

Cloned Web Token

One of the widely used attack vectors by cyber-criminals is Phishing, which involves:

  • Clone web login portals of the target organizations

  • Host the cloned webpage in an attacker-controlled environment

  • Initiate a campaign that serves the cloned login portal to users, thereby tricking them to provide access credentials.

Cloned Web Token can detect such activities by alerting you whenever someone clones your website and hosts it on a different domain.

  • This generates a JavaScript code snippet with a token that should be placed within the JavaScript tags of your website or employee login portal page.

Note: As the generated JavaScript code snippet is user-readable, moreover cyber-criminals would usually go through the cloned code and remove unwanted code before hosting them on another domain. So, it's recommended to obfuscate the generated JavaScript code snippet using JavaScript obfuscator before placing them on the website.

Microsoft Word

This generates a Microsoft Word document that is embedded with the token, which is triggered when someone opens the word document.

  • Once the token is generated, rename the file to something that looks juicy and attractive enough, so the cyber-criminals can attempt to open it - something like employee_salaries.docx, client_access.docx, network-layout.docx, proposals.docx, etc.

  • Idle placement for this MS Word Token would be network file shares, or on the web server (or) use the generated token files in combination with ADS - LIADS SMB Service, make them accessible via LIADS SMB network-share.

Microsoft Excel

This generates a Microsoft Excel document that is embedded with the token, which is triggered when someone opens the excel document.

  • Once the token is generated, rename the file to something that looks juicy and attractive enough, so the cyber-criminals can attempt to open it - something like employee_salaries.xlsx, employee_info.xlsx, client_access.xlsx, proposals.xlsx, etc.

  • Idle placement for this MS Excel Token would be network shares, or on the web server (or) use the generated token files in combination with ADS - LIADS SMB Service, making them accessible via LIADS SMB network-share.

Sensitive Command Execution

This Token helps detect the execution of sensitive built-in windows commands like whoami.exe, net.exe, wmic.exe, etc (or) attacker tools like mimikatz.exe, wce.exe, etc on the host.

  • This technique makes use of the windows registry key for monitoring command executions and generates an alert when someone executes a specific command that’s been monitored by the token.

  • Generated registry file must be imported onto the host with admin privileges, when someone runs the command, an alert gets generated with information on where the command was executed, the host, and the user invoking the command.

PDF Document

This generates a PDF document that is embedded with a DNS token, DNS lookup on a unique address is initiated when someone opens the PDF document which further triggers an alert.

  • Once the token is generated, rename the file to something that looks juicy and attractive enough, so the cyber-criminals can attempt to open it - something like network_layout.pdf, employee_info.pdf, client_accessInfo.pdf, proposals.pdf, etc.

  • Idle placement for this PDF document Token would be network shares, or on the web server.

Windows Directory

This generates a zip file, containing a directory/folder with a hidden token file. This initiates a DNS lookup when someone browses to the tokened directory which eventually raises an alert.

  • Download the zip file with the token “desktop.ini” file, create a folder on the windows host and place the generated “desktop.ini” file in it. Ensure the folder names looks juicy enough, so the cyber-criminals can attempt to access them - something like client_info, employee_info, backups, policies, etc.

PreviousWeb-AppsNextThreat Hunt

Last updated