Description: The Windows Folder Canarytoken works by dropping a desktop.ini file in a folder that instructs Explorer to load a custom icon for that folder. That icon's path will point to a unique DNS host resolving to your Canary Console.
For this Canarytoken to function correctly, the Canarytoken folder itself and the desktop.ini file in it must both have the filesystem's System attribute set, and the GPO "Allow the use of remote paths in file shortcut icons" must be enabled on the machine(s) accessing the folder.
Note re the System Attribute: Some versions of Microsoft Windows (e.g Windows Server 2016) do NOT preserve the System attribute of the Canarytoken folder when the archive is extracted using the built-in zip extraction feature. This results in a Windows Folder Canarytoken that does not trigger when opened.
Note re Remote Paths GPO: A recent group policy update to some versions of Windows (most notably Windows 11) defaults to disabling a functionality that this token relies on in order to fire.
If your Token isn't firing and you've already verified the system attribute is enabled for it, navigate to Group Policy > Computer Configuration > Administrative Templates > Windows Components > File Explorer > and ensure "Allow the use of remote paths in file shortcut icons" is enabled.
Enabling the policy creates a registry entry under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer called EnableShellShortcutIconRemotePath of type REG_DWORD set to 1.
If making this GPO Change isn't feasible for your organisation, we suggest checking out our Sensitive Command Token as an alternative.
Follow the steps below to create a Windows Folder Canarytoken, and set the proper filesystem attributes if needed:
Log in to your Console.
Select the Canarytokens tile.
Select the Windows Folder token from the list.
Over time, if you are using tokens correctly, you will deploy thousands of them all over the place. Make sure that your Reminder is as descriptive as possible, and we will remind the future you of where the token was dropped. Nothing sucks more than having a token fire an alert that reads "test" - and not knowing where you placed it.
Note: we chose "Dropped at C:\Confidential on WEBSEVER-01" as the reminder
Download the Canarytoken archive:
Move the token and place it in its intended location.
Right-Click the archive, select Extract All...
Verify the destination, click Extract and rename the folder from "My Documents" to something more inline with your naming conventions
(Optional) Delete the Archive file
If the token does not trigger when visited, this means the filesystem's System attribute was lost when extracted.
NOTE: This is the default behavior in Microsoft Windows Server 2016, so you must follow along to ensure that the Windows Folder Canarytoken works as expected if you're dropping it on this specific version.
To list the current Canarytoken Folder filesystem attributes, open the containing folder using Explorer "C:\Confidential in this example", click on the path so it's highlighted, then type "cmd.exe" ... this will open a command prompt at that folder
Type "attrib +s CanaryToken_Folder" in the cmd.exe windows.
This will add the required filesystem attribute to the folder.
Canarytoken should be triggering now.