I have included a few executable files that an attacker may not be able to resist executing. These executable files are fake binaries that print the help message of the original executable file to make it seem like the file is legitimate upon execution. These executable files are meant to be uploaded to Canary Tokens which will send you an email alert whenever the file is executed.
- Simply go to https://www.canarytokens.org/generate
- Select "Custom exe / binary" from the dropdown menu
- Enter the email address to send an alert notification too
- Set a Reminder to let you know what host you are placing this file on, the name of the fake executable file. This way your alerts will tell you where and what was executed
- Click "Generate Canary Token" to download your new decoy executable file
- Save the file on a device. I suggest creating a new executable for each device you plan on placing this executable file on. This is to ensure you know where the file was executed from. This is a free tool
Q. Where should I save the Canary File? A. Anywhere that makes sense to you. I have included a couple example file locations below with a note on why that location might be good.
C:\Temp# Common directory for storing files an admin may want to delete later but never didC:\Windows\Temp# Common directory for storing files an admin may want to delete later but never didC:\Windows\System32# In your Path variable to make files easier to executeC:\Users\Public\Downloads# Common place for downloaded exectuablesC:\Users\Administrator\Downloads# Common place for downloaded exectuablesC:\Windows\System32\spool\drivers\color# Commonly used by attackers to save files under the System32 directory tree
Use PowerShell to create a fake custom save location for Microsoft Edge Temp files. When you click "Open" in Microsoft Edge this is where those temporaryly saved file locations are placed
$Guid = [guid]::NewGuid()
New-Item -Path "$env:USERPROFILE\AppData\Local\Temp\MicrosoftEdgeDownloads" -Name $Guid -ItemType File -ForceBelow is a list of the executables I have included and why an attacker might use them
accesscheck.exeUsed for viewing permissions on files and discovering unquoted service pathsnc.exeandnc64.exeUsed to execute bind and reverse shells or for transferring filesprocdump.exeUsed for dumping process memory which may contain clear text passwords or other infoPsExec.exeUsed for executing commands on remote devices using SMB
If any of the above executables are run they will display the actualy executable's help message. This is done to make it seem like they are legitimate. Maybe we can trick an attacker into thinking their command line is bad or someone messed up the executables compilation.