Skip to main content

Search

How to create and troubleshoot the "Windows Folder" Canarytoken

Description: The Windows Folder Canarytoken works by dropping a desktop.ini file in a folder that instructs Explorer to load a custom icon for that folder. That icon's path will point to a unique DNS host resolving to your Canary Console.

For this Canarytoken to function correctly, the Canarytoken folder itself and the desktop.ini file in it must both have the filesystem's System attribute set, and the GPO "Allow the use of remote paths in file shortcut icons" must be enabled on the machine(s) accessing the folder.

Note re the System Attribute: Some versions of Microsoft Windows (e.g Windows Server 2016) do NOT preserve the System attribute of the Canarytoken folder when the archive is extracted using the built-in zip extraction feature. This results in a Windows Folder Canarytoken that does not trigger when opened.

Note re Remote Paths GPO: A recent group policy update to some versions of Windows (most notably Windows 11) defaults to disabling a functionality that this token relies on in order to fire.

If your Token isn't firing and you've already verified the system attribute is enabled for it, navigate to Group Policy > Computer Configuration > Administrative Templates > Windows Components > File Explorer > and ensure "Allow the use of remote paths in file shortcut icons" is enabled.

Enabling the policy creates a registry entry under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer called EnableShellShortcutIconRemotePath of type REG_DWORD set to 1.

If making this GPO Change isn't feasible for your organisation, we suggest checking out our Sensitive Command Token as an alternative.

Follow the steps below to create a Windows Folder Canarytoken, and set the proper filesystem attributes if needed:

Step 1:

Log in to your Console.

Canary_Login_.png

Step 2:

Select the Canarytokens tile. 

Token_Tile.png

Step 3:

Select the Windows Folder token from the list.

mceclip2.png

Step 4:

Over time, if you are using tokens correctly, you will deploy thousands of them all over the place. Make sure that your Reminder is as descriptive as possible, and we will remind the future you of where the token was dropped. Nothing sucks more than having a token fire an alert that reads "test" - and not knowing where you placed it.

Note: we chose "Dropped at C:\Confidential on WEBSEVER-01" as the reminder

mceclip3.png

Step 5:

Download the Canarytoken archive:

mceclip4.png

Step 6:

Move the token and place it in its intended location.

mceclip0.png

Step 7:

Right-Click the archive, select Extract All...

mceclip1.png

Step 8:

Verify the destination, click Extract and rename the folder from "My Documents" to something more inline with your naming conventions

mceclip2.png

Step 9:

(Optional) Delete the Archive file

mceclip3.png

Step 10:

If the token does not trigger when visited, this means the filesystem's System attribute was lost when extracted.
NOTE: This is the default behavior in Microsoft Windows Server 2016, so you must follow along to ensure that the Windows Folder Canarytoken works as expected if you're dropping it on this specific version.

mceclip0.png

Step 11:

To list the current Canarytoken Folder filesystem attributes, open the containing folder using Explorer "C:\Confidential  in this example", click on the path so it's highlighted, then type "cmd.exe" ... this will open a command prompt at that folder

mceclip4.png

Step 12:

Type "attrib +s CanaryToken_Folder" in the cmd.exe windows.

This will add the required filesystem attribute to the folder.

mceclip5.png

Step 13:

Canarytoken should be triggering now.

mceclip0.png

 

 

 

 

Was this article helpful?
7 out of 39 found this helpful
Return to top