Bypass Canary Tokens for Monitored Commands

Through this article, we will explore a simple but creative method to bypass the Canary Tokens that are configured to alert when a specific command is being executed on Windows.

Scenario

1. You just achieved initial access by compromising a workstation/server, through a low-privilege user.

2. Your first command executed on that victim was “whoami”.

3. Your connection was cut off after 2 minutes.

4. You are not able to connect again to the affected endpoint.

5. You just realized that your access is lost.

Why did this happen?

The victim organization was using Canary Tokens to monitor the execution of different “sensitive” commands on the workstations and servers. One of such monitored commands was “whoami”. The attacker triggered an alert that made the Blue Team take quick and serious action.

How to avoid this situation? We’ll see during this article.

What are Canary Tokens?

With the help of Canary Tokens, you can monitor files, objects, calls to domains, commands executed, and much more in order to catch any on-going exploitation attempt or intrusion. Those represent a type of cyber deception mechanism (such as honeypots).

You can create them using their official online platform: https://canarytokens.org/