Skip to main content

Search

Breadcrumb - Windows FTP Shortcut

Overview

The Windows FTP Shortcut Breadcrumb creates a Windows shortcut that points to a Canary running FTP.

To an attacker, the shortcut appears as a previously accessed internal file location or operational file transfer endpoint.

Attackers commonly explore shared file locations and transfer systems while searching for sensitive data, backups, reports, or operational files. Placing a believable FTP shortcut on systems an attacker is likely to explore can help steer reconnaissance and file-access activity toward your Canaries.

Placement Ideas

Good locations for Windows FTP Shortcut Breadcrumbs include:

  • Shared file servers: Place shortcuts in shared folders, Desktop locations, or commonly accessed operational directories.
  • Finance or reporting systems: Place shortcuts near exported reports, archives, or operational data transfers where file movement would be expected.
  • Administrator workstations: Place shortcuts alongside existing tools, scripts, or operational resources used for infrastructure management.

Follow the steps below to create a Windows FTP Shortcut Breadcrumb:

Step 1: Log in to your Console

Console Login.png

Step 2: Confirm FTP is enabled on the Canary

Click the Canary you want to use for the Windows FTP Shortcut Breadcrumb and confirm that the FTP service is enabled.

FileZilla Profile - Breadcrumb - FTP Service Enabled.gif

Step 3: Open the Breadcrumbs tile on your Flock

Once you have confirmed that FTP is enabled, open the Breadcrumbs tile to create and download the Windows FTP Shortcut Breadcrumb.

Breadcrumb - Tile Card.png

Step 4: Select the Breadcrumb

Select Windows FTP Shortcut from the list of available Breadcrumbs.

Note

If the Breadcrumb you want to create is greyed out, none of the Canaries in the selected Flock have the required service enabled. Enable the required service on a Canary and try again.

Windows FTP Shortcut - Breadcrumb - Select.png

Step 5: Select the Canary

  1. Select the Canary from the drop-down list. In this example, we have selected the Office-NAS-02 Canary.

  2. Select Create to create the Breadcrumb.

Note

If a Canary is not available in the drop-down list, it does not have the service required for this Breadcrumb enabled. Enable the required service on the Canary and try again.

Windows FTP Shortcut - Breadcrumb - Create.png

Step 6: Download the Breadcrumb

Select Download Breadcrumb to download the Breadcrumb ps1 file.

The download section contains the following:

  1. crumb – Displays the PowerShell script that will create the Windows FTP Shortcut.
  2. Download Breadcrumb – Downloads a ps1 file containing all the information required to deploy the Windows FTP Shortcut Breadcrumb.
Windows FTP Shortcut - Breadcrumb - Download.png

Step 7: Deploy the Breadcrumb on the target host

  1. Copy the downloaded .ps1 file to the target host.

  2. Execute the .ps1 file using PowerShell.

  3. The Windows FTP Shortcut is now visible on the Desktop of the target host.

In this example, the script creates a Windows FTP Shortcut named Office-NAS-02, which is now visible in the target location.

Windows FTP Shortcut - Breadcrumb - Deployed.png

Alerts

Note

Alert Type: FTP Login Attempt
This is the standard FTP Login Attempt alert generated by the Canary. The alert contains the FTP connection details associated with the login attempt, including the username and credentials used, source IP address, and additional alert information.

FTP - Breadcrumb - Alert.png

You’ve made it!

thinkst-canary-inyoni.gif

Was this article helpful?
0 out of 0 found this helpful
Return to top