For this week’s TTP Tuesday, we wanted to focus on some techniques that often go under the radar. APT40 seems to use valid credentials for a lot of their attacks, whether they get these credentials from watering holes, data dumps, or files on a compromised box. This chain will find and exfiltrate files that possibly contain cleartext credentials. These types of files are prevalent in numerous organizations, these files are often created by users or administrators who do not remember all their passwords. Development teams can also leave passwords inside code files, documentation, or other configuration files.
Identifying Potential Files
Looking for these types of files can be a long-running process, so to keep the TTPs runtime to a minimum we are only identifying filenames that contain “user” or “pass” in the user’s home directory. Identifying files with suspicious names is only the first step, we then go through the identified files and ensure that the file isn’t in a binary format while also doing some rudimentary checks for special characters in the text of the file, since this aligns with “most” current password requirement policies. After identifying the files, we compress the files and serve them on a website.
Serving the Artifacts
The chain stands up a minimal website with a link to the compressed file. The website is designed to only receive two requests and then it shuts itself down. This allows the malicious actor to visit the website (first request), and download the file (second request). After the second request, the clean-up phase starts.
The clean-up TTP will execute after the two requests have taken place. This will remove the files that were created during the previous steps.
Next week we will be starting a brand new theme!
Check it out on the Prelude chains website.
Watch a demonstration:
Staying up to date
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Get our products
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg
Join our community
Read, watch, and listen
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg