Description: Canarytokens can be closely tied into your OS, with the Sensitive Command Token, we can watch for attackers using invasive commands on Windows hosts.
Follow the steps below to create the Sensitive Command Token.
A note on avoiding loops: This Token makes use of cmd.exe and powershell.exe to trigger; both executables should be avoided for monitoring as a loop will occur. Attackers are likely to use powershell to execute their tools such as mimikatz.exe, you’ll want to monitor for mimikatz.exe its-self rather than powershell to avoid false positives.
Step 1:
Log in to your Console.
Step 2:
Hover over the Canarytokens tile and click on Add a new Canarytoken.
Step 3:
Click on the Create a new token dropdown, then select the Sensitive Command Token.
Step 4:
Enter a helpful reminder, then enter the process name you'd like the Token to trigger on.
Enter the name of the process that you want to monitor for execution (e.g., wmic.exe, whoami.exe, klist.exe, nltest.exe)
Step 5:
Your Token has now been created and is ready for download. Click on the Download Token button to grab the registry file we'll use to deploy the Token.
Step 6:
Import the downloaded registry file by double clicking on it, or by running the reg import command.
Step 7:
The Token is now active, and when a monitored command is run....
Alert:
An alert is generated in your Console.
You're done! ;-)