In most cases the goal of an APT campaign is the theft of intellectual property, confidential information  or access to specific systems within the target organization’s network. For example, adversaries usually target for patented technologies, diplomatic information or access to computers of researchers and executives in order to monitor their activity. Due to the fact that the asset of interest is usually in digital form it’s hard to detect the theft which allows the adversaries to conduct the crime without being noticed.
The asset discovery usually happens during the lateral movement phase . Depending on the asset type the lateral movement stage might vary in length as it’s not always possible to quickly determine the location where data of interest is stored. Attacker’s try to perform basic network reconnaissance in order to map servers on the network. Additional information gathering might take place during the lateral movement stage. Once the target is identified adversaries try to get the access to the server and extract desired digital information.
After gaining access to the server where the assets of interest are stored the samples are validated. Discovery of additional assets might be performed if the APT group suspects that the identified digital information is partial. Once enough data is discovered, the stage of data exfiltration happens during which the intellectual property, confidential information, etc. is copied over the network.
Asset Discovery Techniques
The simplest example of asset discovery is a file search on the compromised system. It is common to see backdoors having a built-in functionality of searching for files on the target’s file system. However, using native commands, which serve the same purpose, might be used by attackers when no malware is present and only a shell access is available. In such a case a variation of the following command can be used by an adversary in order to look for sensitive files.
C:\Users\RayC\Desktop>dir *password.txt *.cert* *.docx *.pdf /s Directory of C:\Users\RayC\Desktop 2014-01-27 12:37 50 facebook_password.txt Directory of C:\Users\RayC\Desktop\projects 2016-07-07 12:13 111,303 2016_concept.docx 2016-08-27 02:06 711,303 2017_concept_v2.docx 2013-01-24 12:41 11,404 Bank_statement.docx 2016-08-19 17:40 134,303 Meeting_summary.docx 2015-02-27 18:55 171,303 RnD.docx Directory of C:\Users\RayC\Desktop\projects 2015-05-27 12:42 90,512 Final_Report.pdf Directory of C:\Users\RayC\Desktop\secrets 2011-08-27 12:39 792 Ray_C.cert
Another approach to find relevant files is to list the contents of recently accessed files by the user. This can be achieved combining dir and findstr commands as shown below.
C:\>dir C:\Users\RayC\AppData\Roaming\Microsoft\Windows\Recent | findstr "docx pdf cert txt" 2016-08-27 12:39 725 Ray_C.cert.lnk 2016-08-26 00:20 537 a.txt.lnk 2016-08-20 19:55 1,402 Aanalysis_of_ The_Political_CMP.pdf.lnk 2016-08-20 19:55 1,277 CrowdStrike_Analysis.pdf.lnk 2016-08-27 12:37 821 enterprise_logins.txt.lnk 2016-08-27 12:36 695 facebook_password.txt.lnk 2016-08-27 12:42 984 Final_Report.pdf.lnk 2016-08-16 01:58 1,048 hint.txt.lnk 2016-08-26 00:01 647 INSTRUCTIONS.txt.lnk 2016-08-20 19:55 1,342 Microsoft_Report.pdf.lnk 2016-08-16 01:57 1,037 notes.txt.lnk 2016-08-27 12:40 761 RnD.docx.lnk 2016-08-23 22:46 1,107 rpt-2016.pdf.lnk 2016-08-24 00:42 1,107 rpt-2015.pdf.lnk 2016-08-20 19:57 1,307 tactical-investments.pdf.lnk 2016-08-20 20:02 1,332 visiting_conference.pdf.lnk 2016-08-20 20:14 1,177 wp-operation-status.pdf.lnk
While searching for files by a fragment of a filename is a quick way to initially discover interesting assets, a more efficient way is to search for files by their contents. This can also be performed by native Windows commands like find or findstr. An example of such a case while looking for user credentials in a specified location is provided below.
C:\Users\johndoe\Desktop>findstr /S/I "username password certificate" *.cert *.txt facebook_password.txt:username: RayC facebook_password.txt:password: YouWillNewverGuess!!! secrets\enterprise_logins.txt:username: Ray secrets\enterprise_logins.txt:password: Uyre^3!q3.? secrets\enterprise_logins.txt:username: [email protected] secrets\enterprise_logins.txt:password: Default123! secrets\Ray_C.cert:-----BEGIN CERTIFICATE----- secrets\Ray_C.cert:-----END CERTIFICATE-----
In an enterprise environment it is common to see file servers used for storing sensitive information. Therefore, a file search on remote systems can be performed from the compromised computer without the need of hacking the file server itself. Given the pre-condition that the hacker has obtained the credentials needed to access files on the remote system the tool PowerView can be used to easily enumerate network resources and perform search on those resources as shown in the example below.
**PS C:\Users\RayC> Invoke-ShareFinder -ExcludeStandard** **\\NODE4.contoso.com\Documents -** \\NODE4.contoso.com\Users - **\\FILE_SERVER.contoso.com\Storage -** \\FILE_SERVER.contoso.com\Users - \\NODE2.contoso.com\New folder - \\NODE2.contoso.com\Users - \\NODE3.contoso.com\Users - \\NODE1.contoso.com\Users - \\SLC-DC01.contoso.com\Address - "Access to address objects" \\SLC-DC01.contoso.com\CertEnroll - Active Directory Certificate Services share \\SLC-DC01.contoso.com\ExchangeOAB - OAB Distribution share \\SLC-DC01.contoso.com\GroupMetrics - MailTips group metrics publishing point \\SLC-DC01.contoso.com\NETLOGON - Logon server share \\SLC-DC01.contoso.com\PSTFiles - \\SLC-DC01.contoso.com\SYSVOL - Logon server share \\SLC-DC01.contoso.com\Templates - **PS C:\Users\RayC> Find-InterestingFile \\FILE_SERVER\Storage -OfficeDocs** FullName : \\FILE_SERVER\Storage\Contract_BANK_X.docx Owner : BUILTIN\Administrators LastAccessTime : 8/10/2016 4:54:11 PM LastWriteTime : 8/10/2016 4:47:46 PM CreationTime : 8/10/2016 4:54:11 PM Length : 41187 FullName : \\FILE_SERVER\Storage\Contract_Legal.docx Owner : BUILTIN\Administrators LastAccessTime : 8/10/2016 4:54:11 PM LastWriteTime : 8/10/2016 4:46:44 PM CreationTime : 8/10/2016 4:54:11 PM Length : 23829 FullName : \\FILE_SERVER\Storage\Expenses.xlsx Owner : BUILTIN\Administrators LastAccessTime : 8/10/2016 4:54:11 PM LastWriteTime : 8/10/2016 4:51:53 PM CreationTime : 8/10/2016 4:54:11 PM Length : 37989 FullName : \\FILE_SERVER\Storage\Financial_Report.xlsx Owner : BUILTIN\Administrators LastAccessTime : 8/10/2016 4:54:11 PM LastWriteTime : 8/10/2016 4:51:14 PM CreationTime : 8/10/2016 4:54:11 PM Length : 8802 FullName : \\FILE_SERVER\Storage\Report_December_2015.docx Owner : BUILTIN\Administrators LastAccessTime : 8/10/2016 4:54:11 PM LastWriteTime : 8/10/2016 4:45:58 PM CreationTime : 8/10/2016 4:54:11 PM Length : 12589
Finally, it’s worth mentioning that files are not always the asset which attacker is looking for. For example, sometimes the correspondence between specific people is a matter of interest. In such a case, attackers try to gain access to communication channels, such as email or instant messaging accounts, mobile phones, etc. Additionally, access to a certain computer on the network can also be the target of the intruders. If that’s the case, attackers try to find the computer on the network and gain access to it.
Real World Example: APT30
In order to perform asset discovery, the malware used by the APT30 includes manual and automatic features which serve this purpose. In case of manual approach, the file system of the infected computer can be enumerated interactively via the BACKSPACE controller’s GUI once the control session is established. The commands implemented in the BACKSPACE backdoor allows the threat actor to enumerate local and network resources. Automatic asset discovery is implemented in SPACESHIP and FLASHFLOOD components. These components are mainly configured with predefined locations and file types of interest which are being harvested from infected machines. For example, SPACESHIP and FLASHFLOOD was identified to be targeting Microsoft Word documents with extensions .doc and .docx, Adobe Acrobat files with extension .pdf, Rich Text Format files identified with .rtf extension and other extensions. The main difference between these components is that the SPACESHIP components copies files stolen from a local file system to the inserted USB driver while FLASHFLOOD copies files from the inserted USB drives . This leads to a conclusion that these components might work together.
1. Symantec. (2011). Advanced Persistent Threats: A Symantec Perspective.
2. Ping Chen, L. D. (2014). A study on Advanced Persistent Threats.
3. Fireeye Labs. (2015). APT30 and the mechanics of a long-running cyber espionage operation.