Skip to main content

Search

Breadcrumb - Windows SMB Shortcut

Overview

The Windows SMB Shortcut Breadcrumb creates a shortcut that points to a Canary running an SMB file share.

Attackers commonly inspect mapped drives, shared folders, and network shortcuts on compromised Windows systems while looking for sensitive files, administrative shares, or additional systems they can access. Placing a believable SMB shortcut on systems an attacker is likely to explore can help steer reconnaissance and lateral movement toward your Canaries.

Placement Ideas

Good locations for Windows SMB Shortcut Breadcrumbs include:

  • Shared operational systems: Place shortcuts within shared administrative folders, operational directories, or utility locations used by IT teams.
  • Jump boxes or bastion hosts: Place shortcuts on systems used to access internal infrastructure or shared resources.
  • Backup or file management systems: Place shortcuts near archive locations, backup repositories, or operational file workflows where SMB access would be expected.

Follow the steps below to create a Windows SMB Shortcut Breadcrumb:

Step 1: Log in to your Console

Console Login.png

Step 2: Confirm SMB is enabled on the Canary

Click the Canary you want to use for the Windows SMB Shortcut Breadcrumb and confirm that the SMB service is enabled.

Breadcrumb - SMB Service Enabled.gif

Step 3: Open the Breadcrumbs tile on your Flock

Once you have confirmed that SMB is enabled, open the Breadcrumbs tile to create and download the Windows SMB Shortcut Breadcrumb.

Breadcrumb - Tile Card.png

Step 4: Select the Breadcrumb

Select Windows SMB Shortcut from the list of available Breadcrumbs.

Note

If the Breadcrumb you want to create is greyed out, none of the Canaries in the selected Flock have the required service enabled. Enable the required service on a Canary and try again.

Windows SMB Shortcut - Breadcrumb - Select.png

Step 5: Select the Canary

  1. Select the Canary from the drop-down list. In this example, we have selected the Finance-Backup Canary.

  2. Select Create to create the Breadcrumb.

Note

If a Canary is not available in the drop-down list, it does not have the service required for this Breadcrumb enabled. Enable the required service on the Canary and try again.

Windows SMB Shortcut - Breadcrumb - Create.png

Step 6: Download the Breadcrumb

Select Download Breadcrumb to download the Breadcrumb .ps1 file.

The download section contains the following:

  • crumb – Displays the PowerShell script that will create the Windows SMB Shortcut.
  • Download Breadcrumb – Downloads a .ps1 file containing all the information required to deploy the Windows SMB Shortcut Breadcrumb.
Windows SMB Shortcut - Breadcrumb - Download.png

Step 7: Deploy the Breadcrumb on the target host

  1. Copy the downloaded .ps1 file to the target Windows host. 

  2. Right-click the .ps1 file and select Run with PowerShell

  3. The PowerShell window opens and the script is executed. 

  4. The script creates a Windows SMB Shortcut named Finance-Backup, which is now visible on the Desktop.

In this example, the script creates a Windows SMB Shortcut named Finance-Backup, which is now visible alongside other shared resources and operational shortcuts.

Windows SMB Shortcut - Breadcrumb - Deployed.png

Alerts

Note

Alert Type: Shared File Opened
This is the standard Shared File Opened alert generated by the Canary. The alert contains details of the SMB file access, including the file path accessed, SMB username, share name, SMB version, remote SMB host name, and additional alert information.

SMB - Breadcrumb - Alert.png

You’ve made it!


 

thinkst-canary-inyoni.gif

Was this article helpful?
0 out of 0 found this helpful
Return to top