Skip to main content

Search

How do I create a Sensitive Command Canarytoken?

Sensitive Command Tokens enable you to track critical Windows commands for potential attacker actions. Utilising Windows' SilentProcessExit feature, the token works with Windows Error Reporting to monitor specific executables and promptly send alerts when they run. After creating the token on your Console, you download and import a registry file that sets up monitoring keys for both 64-bit and 32-bit systems. When a monitored process, such as whoami.exe or wmic.exe, executes, the token gathers the username and computer name, then issues a DNS alert to your Console—providing you with quick insight into suspicious activity on Windows machines.

Canarytokens can be closely tied into your OS, with the Sensitive Command Token, we can watch for attackers using invasive commands on Windows hosts.

Windows Error Reporting

This Token makes use of the underlying Windows function SilentProcessExit to trigger. SilentProcessExit relies on Windows Error Reporting infrastructure (WerSvc) to handle the termination of monitored processes and in turn, raise alerts. If Windows Error Reporting is disabled, SilentProcessExit loses the ability to communicate with it, preventing the Token from firing.

Registry Changes Made During Token Deployment

When we create the registry keys for the Sensitive Command Token, we make the following changes to the registry.

  1. We add a key in:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\MONITOREDPROCESS.exe

    This will match the name of the process that you wish to monitor.

  2. We add 1 value to the above key:

    GlobalFlag = dword:00000200

  3. We create an additional key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
SilentProcessExit\FILENAME.exe

  4. This with 2 values:

    "ReportingMode"=dword:00000001
  5. This enables us to run a process in response to the command of interest exiting. "MonitorProcess" — Sensitive Command Trigger.

The Sensitive Command Trigger executes cmd.exe and powershell.exe to send a DNS lookup alert to your Console. The command removes any spaces and non-DNS allowable characters. The command also collects the username and computername so when the alert triggers you know which user ran the command on which endpoint.

Step 1: Log in to Your Console

Console Login.png

Step 2: Open the Canarytokens

Hover over the Canarytokens tile and click on Add a new Canarytoken.

tile.png

Step 3: Create a Sensitive Command Token

Click on the Create a new token dropdown, then select the Sensitive Command Token.

CleanShot 2024-07-22 at 09.53.01@2x.png

Step 4: Enter Token Details

  1. Enter a helpful reminder, then enter the process name you'd like the Token to trigger on.
  2. Enter the name of the process that you want to monitor for execution (e.g., wmic.exe, whoami.exe, klist.exe, nltest.exe)
  3. Click on the Create token

details.png

Step 5: Download the Registry File

Your Token has now been created and is ready for download. Click on the Download Token button to grab the registry file we'll use to deploy the Token.

download.png

Step 6: Import the Token into the Registry

Import the downloaded registry file by running the reg import command twice, once to insert registry keys to monitor 64-bit process executions, and second time for 32-bit:

reg import <canarytoken>.reg /reg:64
reg import <canarytoken>.reg /reg:32

shell.png

Step 7: Trigger Alerts Instantly

The Token is now active, and when a monitored command is run....

cmd.png

Alert

An alert is generated in your Console.

CleanShot 2024-07-22 at 10.08.11@2x.png

last.png

Was this article helpful?
16 out of 16 found this helpful
Return to top