Tokens (ADS - Tokens)
This article provides information on using Active-Defense-Service (ADS) Tokens that can help you defend your network.
Active Defense Service (ADS) Tokens are the kind of traps that are positioned in a system or in a network with attractive names in the form of Documents (Word, Excel, PDF), Folders, etc, waiting for cyber criminals to access them, reveals the information that is required to help identify where the respective ADS token was triggered.
These Tokens are much similar to Active Defense Services (ADS) in terms of usage. However, ADS Services like SSH, Mysql, Telnet, and others are deployed as decoy services within the network, which cyber-criminal may interact with and eventually raise a red flag.
As part of the beta release, BluSapphire offers the following types of Active Defense Service (ADS) Tokens that can be positioned in a system or network:
This is a generic URL token that is generated and can be embedded it as a 1x1 image inside a document, webpage, etc. Alerts are generated upon opening/accessing the document, with the information from where the token was triggered.
- Embed the token in documents with attractive filenames and position in a system, or network file share.
- Embed in webpages that can only be found via brute forcing.
One of the widely used attack vectors by cyber-criminals is Phishing, which involves:
- Clone web login portals of the target organizations
- Host the cloned webpage in an attacker-controlled environment
- Initiate a campaign that serves the cloned login portal to users, thereby tricking them to provide access credentials.
Cloned Web Token can detect such activities by alerting you whenever someone clones your website and hosts it on a different domain.
This generates a Microsoft Word document that is embedded with the token, which is triggered when someone opens the word document.
- Once the token is generated, rename the file to something that looks juicy and attractive enough, so the cyber-criminals can attempt to open it - something like employee_salaries.docx, client_access.docx, network-layout.docx, proposals.docx, etc.
- Idle placement for this MS Word Token would be network file shares, or on the web server (or) use the generated token files in combination with ADS - LIADS SMB Service, make them accessible via LIADS SMB network-share.
This generates a Microsoft Excel document that is embedded with the token, which is triggered when someone opens the excel document.
- Once the token is generated, rename the file to something that looks juicy and attractive enough, so the cyber-criminals can attempt to open it - something like employee_salaries.xlsx, employee_info.xlsx, client_access.xlsx, proposals.xlsx, etc.
- Idle placement for this MS Excel Token would be network shares, or on the web server (or) use the generated token files in combination with ADS - LIADS SMB Service, making them accessible via LIADS SMB network-share.
This Token helps detect the execution of sensitive built-in windows commands like whoami.exe, net.exe, wmic.exe, etc (or) attacker tools like mimikatz.exe, wce.exe, etc on the host.
- This technique makes use of the windows registry key for monitoring command executions and generates an alert when someone executes a specific command that’s been monitored by the token.
- Generated registry file must be imported onto the host with admin privileges, when someone runs the command, an alert gets generated with information on where the command was executed, the host, and the user invoking the command.
This generates a PDF document that is embedded with a DNS token, DNS lookup on a unique address is initiated when someone opens the PDF document which further triggers an alert.
- Once the token is generated, rename the file to something that looks juicy and attractive enough, so the cyber-criminals can attempt to open it - something like network_layout.pdf, employee_info.pdf, client_accessInfo.pdf, proposals.pdf, etc.
- Idle placement for this PDF document Token would be network shares, or on the web server.
This generates a zip file, containing a directory/folder with a hidden token file. This initiates a DNS lookup when someone browses to the tokened directory which eventually raises an alert.
- Download the zip file with the token “desktop.ini” file, create a folder on the windows host and place the generated “desktop.ini” file in it. Ensure the folder names looks juicy enough, so the cyber-criminals can attempt to access them - something like client_info, employee_info, backups, policies, etc.