Description: Canarytokens can be closely tied into your OS, with the Sensitive Command Token, we can watch for attackers using invasive commands on Windows hosts.

Follow the steps below to create the Sensitive Command Token.

A note on avoiding loops: This Token makes use of cmd.exe and powershell.exe to trigger - both of these executables should not be tokenized as a loop will occur. Attackers are likely to use powershell to execute their tools such as mimikatz.exe, you’ll want to monitor for mimikatz.exe itself (rather than powershell) to avoid false positives.

A note on how this Token is deployed when the .reg file is run:

When we create the registry keys for the Sensitive Command Token, we make the following changes to the registry.
1. We add a key in [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MONITOREDPROCESS.exe]
This will match the name of the process that you wish to monitor.

2. We add 1 value to the above key

GlobalFlag = dword:00000200

3. We create an additional key.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\FILENAME.exe]

4. This with 2 values.

"ReportingMode"=dword:00000001

5. This enables us to run a process in response to the command of interest exiting.

"MonitorProcess" - Sensitive Command Trigger.

The Sensitive Command Trigger, executes cmd.exe and powershell.exe to send a DNS lookup alert to your console. The command removes any spaces and non-DNS allowable characters. The command also collects the username and computername so when the alert triggers you know which user ran the command on which endpoint.

Step 1:

Step 2:

Hover over the Canarytokens tile and click on Add a new Canarytoken.

Step 3:

Click on the Create a new token dropdown, then select the Sensitive Command Token.

Step 4:

Enter a helpful reminder, then enter the process name you'd like the Token to trigger on.

Enter the name of the process that you want to monitor for execution (e.g., wmic.exe, whoami.exe, klist.exe, nltest.exe)

Step 5:

Your Token has now been created and is ready for download. Click on the Download Token button to grab the registry file we'll use to deploy the Token.