Malware not needed ?

Recently had a duh moment while playing with the 'opened folder' canary technique used by canary - a project

One of the Canary triggers works by taking advantage of the way Microsoft Windows presents folders to it's users, this happens by checking for a hidden desktop.ini file that will point the OS to folder view preferences.

Canary works by directing the preferences to a remote server (that is listening for incoming requests) when that request comes in, we know the folder has been entered ! very sneaky! ( I didn't know about this technique until I was exploring the canary available payloads

So I figured, if we point it to a remote location with SMB authentication on it, we know that windows will automatically send it's current user's credentials to the location, I'll get hashes!


It works! so, if you are ever on a RedTeam and you have access to a shared folder plant one in there will need to make a share readonly for the desktop.ini to persist with a name like PeopleGettingSacked or Movies or CEO Holiday Pics ... whatever, you know better than me...

Additionally if you put the desktop.ini flat on a USB stick as soon as the pen is mounted (unless auto-run is disabled, it will open up the folder automatically (actioning the attack)

I bet this is already being used out there ! ... very sneaky/powerful, I had to share ... infact I can't help thinking this might be a very well known thing and i'm out of the loop -_-

I think there is some caching of the desktop.ini too (at least with windows 10, as when I ejected my evil USB I could still see incoming requests from my machine. - will follow up with that.

An indepth look into options when writing a desktop.ini file, possibly more oppertunities for trouble ?

Attacker & User view :