Description: The Windows Folder Canarytoken works by dropping a desktop.ini file in a folder that instructs Explorer to load a custom icon for that folder. That icon's path will point to a unique DNS host resolving to your Canary Console.
For this Canarytoken to function correctly, the Canarytoken folder itself, and the desktop.ini file in it must both have the filesystem's System attribute set.
Note: Some versions of Microsoft Windows does NOT preserve the System attribute of the Canarytoken folder when the archive is extracted using the built-in zip extraction feature, resulting in a Windows Folder Canarytoken that does not trigger when opened - for example, Windows Server 2016
Follow the steps below to create a Windows Folder Canarytoken, and set the proper filesystem attributes if needed:
Log in to your Console.
Select the Canarytokens tile.
Select the Windows Folder token from the list.
Over time, if you are using tokens correctly, you will deploy thousands of them all over the place. Make sure that your Reminder is as descriptive as possible, and we will remind the future you of where the token was dropped. Nothing sucks more than having a token fire an alert that reads "test" - and not knowing where you placed it.
Note: we chose "Dropped at C:\Confidential on WEBSEVER-01" as the reminder
Download the Canarytoken archive:
Move the token and place it in its intended location.
Right-Click the archive, select Extract All...
Verify the destination, click Extract
(Optional) Delete the Archive file
If the token does not trigger when visited, this means the filesystem's System attribute was lost when extracted.
NOTE: This is the default behavior in Microsoft Windows Server 2016, so you must follow along to ensure that the Windows Folder Canarytoken works as expected if you're dropping it on this specific version.
To list the current Canarytoken Folder filesystem attributes, open the containing folder using Explorer "C:\Confidential in this example", click on the path so it's highlighted, then type "cmd.exe" ... this will open a command prompt at that folder
Type "attrib +s CanaryToken_Folder" in the cmd.exe windows.
This will add the required filesystem attribute to the folder.
Canarytoken should be triggering now.