# [Stages of APT]ASSET DISCOVERY

In most cases the goal of an APT campaign is the theft of intellectual property, confidential information [1] or access to specific systems within the target organization’s network. For example, adversaries usually target for patented technologies, diplomatic information or access to computers of researchers and executives in order to monitor their activity. Due to the fact that the asset of interest is usually in digital form it’s hard to detect the theft which allows the adversaries to conduct the crime without being noticed.

The asset discovery usually happens during the lateral movement phase [2]. Depending on the asset type the lateral movement stage might vary in length as it’s not always possible to quickly determine the location where data of interest is stored. Attacker’s try to perform basic network reconnaissance in order to map servers on the network. Additional information gathering might take place during the lateral movement stage. Once the target is identified adversaries try to get the access to the server and extract desired digital information.

After gaining access to the server where the assets of interest are stored the samples are validated. Discovery of additional assets might be performed if the APT group suspects that the identified digital information is partial. Once enough data is discovered, the stage of data exfiltration happens during which the intellectual property, confidential information, etc. is copied over the network.

Asset Discovery Techniques

The simplest example of asset discovery is a file search on the compromised system. It is common to see backdoors having a built-in functionality of searching for files on the target’s file system. However, using native commands, which serve the same purpose, might be used by attackers when no malware is present and only a shell access is available. In such a case a variation of the following command can be used by an adversary in order to look for sensitive files.

C:\Users\RayC\Desktop>dir *password.txt *.cert* *.docx *.pdf /s
Directory of C:\Users\RayC\Desktop

Directory of C:\Users\RayC\Desktop\projects

2016-07-07  12:13           111,303 2016_concept.docx
2016-08-27  02:06           711,303 2017_concept_v2.docx
2013-01-24  12:41            11,404 Bank_statement.docx
2016-08-19  17:40           134,303 Meeting_summary.docx
2015-02-27  18:55           171,303 RnD.docx

Directory of C:\Users\RayC\Desktop\projects

2015-05-27  12:42            90,512 Final_Report.pdf

Directory of C:\Users\RayC\Desktop\secrets

2011-08-27  12:39               792 Ray_C.cert

Another approach to find relevant files is to list the contents of recently accessed files by the user. This can be achieved combining dir and findstr commands as shown below.

C:\>dir C:\Users\RayC\AppData\Roaming\Microsoft\Windows\Recent | findstr "docx pdf cert txt"
2016-08-27  12:39               725 Ray_C.cert.lnk
2016-08-26  00:20               537 a.txt.lnk
2016-08-20  19:55             1,402 Aanalysis_of_ The_Political_CMP.pdf.lnk
2016-08-20  19:55             1,277 CrowdStrike_Analysis.pdf.lnk
2016-08-27  12:42               984 Final_Report.pdf.lnk
2016-08-16  01:58             1,048 hint.txt.lnk
2016-08-26  00:01               647 INSTRUCTIONS.txt.lnk
2016-08-20  19:55             1,342 Microsoft_Report.pdf.lnk
2016-08-16  01:57             1,037 notes.txt.lnk
2016-08-27  12:40               761 RnD.docx.lnk
2016-08-23  22:46             1,107 rpt-2016.pdf.lnk
2016-08-24  00:42             1,107 rpt-2015.pdf.lnk
2016-08-20  19:57             1,307 tactical-investments.pdf.lnk
2016-08-20  20:02             1,332 visiting_conference.pdf.lnk
2016-08-20  20:14             1,177 wp-operation-status.pdf.lnk

While searching for files by a fragment of a filename is a quick way to initially discover interesting assets, a more efficient way is to search for files by their contents. This can also be performed by native Windows commands like find or findstr. An example of such a case while looking for user credentials in a specified location is provided below.

C:\Users\johndoe\Desktop>findstr /S/I "username password certificate" *.cert *.txt
secrets\Ray_C.cert:-----BEGIN CERTIFICATE-----
secrets\Ray_C.cert:-----END CERTIFICATE-----

In an enterprise environment it is common to see file servers used for storing sensitive information. Therefore, a file search on remote systems can be performed from the compromised computer without the need of hacking the file server itself. Given the pre-condition that the hacker has obtained the credentials needed to access files on the remote system the tool PowerView can be used to easily enumerate network resources and perform search on those resources as shown in the example below.

**PS C:\Users\RayC> Invoke-ShareFinder -ExcludeStandard**
**\\NODE4.contoso.com\Documents   -**
\\NODE4.contoso.com\Users       -
**\\FILE_SERVER.contoso.com\Storage       -**
\\FILE_SERVER.contoso.com\Users         -
\\NODE2.contoso.com\New folder  -
\\NODE2.contoso.com\Users       -
\\NODE3.contoso.com\Users       -
\\NODE1.contoso.com\Users       -
\\SLC-DC01.contoso.com\CertEnroll       - Active Directory Certificate Services share
\\SLC-DC01.contoso.com\ExchangeOAB      - OAB Distribution share
\\SLC-DC01.contoso.com\GroupMetrics     - MailTips group metrics publishing point
\\SLC-DC01.contoso.com\NETLOGON         - Logon server share
\\SLC-DC01.contoso.com\PSTFiles         -
\\SLC-DC01.contoso.com\SYSVOL   - Logon server share
\\SLC-DC01.contoso.com\Templates        -

**PS C:\Users\RayC> Find-InterestingFile \\FILE_SERVER\Storage -OfficeDocs**

FullName       : \\FILE_SERVER\Storage\Contract_BANK_X.docx
LastAccessTime : 8/10/2016 4:54:11 PM
LastWriteTime  : 8/10/2016 4:47:46 PM
CreationTime   : 8/10/2016 4:54:11 PM
Length         : 41187

FullName       : \\FILE_SERVER\Storage\Contract_Legal.docx
LastAccessTime : 8/10/2016 4:54:11 PM
LastWriteTime  : 8/10/2016 4:46:44 PM
CreationTime   : 8/10/2016 4:54:11 PM
Length         : 23829

FullName       : \\FILE_SERVER\Storage\Expenses.xlsx
LastAccessTime : 8/10/2016 4:54:11 PM
LastWriteTime  : 8/10/2016 4:51:53 PM
CreationTime   : 8/10/2016 4:54:11 PM
Length         : 37989

FullName       : \\FILE_SERVER\Storage\Financial_Report.xlsx
LastAccessTime : 8/10/2016 4:54:11 PM
LastWriteTime  : 8/10/2016 4:51:14 PM
CreationTime   : 8/10/2016 4:54:11 PM
Length         : 8802

FullName       : \\FILE_SERVER\Storage\Report_December_2015.docx
LastAccessTime : 8/10/2016 4:54:11 PM
LastWriteTime  : 8/10/2016 4:45:58 PM
CreationTime   : 8/10/2016 4:54:11 PM
Length         : 12589

Finally, it’s worth mentioning that files are not always the asset which attacker is looking for. For example, sometimes the correspondence between specific people is a matter of interest. In such a case, attackers try to gain access to communication channels, such as email or instant messaging accounts, mobile phones, etc. Additionally, access to a certain computer on the network can also be the target of the intruders. If that’s the case, attackers try to find the computer on the network and gain access to it.

Real World Example: APT30

In order to perform asset discovery, the malware used by the APT30 includes manual and automatic features which serve this purpose. In case of manual approach, the file system of the infected computer can be enumerated interactively via the BACKSPACE controller’s GUI once the control session is established. The commands implemented in the BACKSPACE backdoor allows the threat actor to enumerate local and network resources. Automatic asset discovery is implemented in SPACESHIP and FLASHFLOOD components. These components are mainly configured with predefined locations and file types of interest which are being harvested from infected machines.  For example, SPACESHIP and FLASHFLOOD was identified to be targeting Microsoft Word documents with extensions .doc and .docx, Adobe Acrobat files with extension .pdf, Rich Text Format files identified with .rtf extension and other extensions. The main difference between these components is that the SPACESHIP components copies files stolen from a local file system to the inserted USB driver while FLASHFLOOD copies files from the inserted USB drives [3]. This leads to a conclusion that these components might work together.

References

1. Symantec. (2011). Advanced Persistent Threats: A Symantec Perspective.