Bypass Canary Tokens for Monitored Commands
3 min readApr 2, 2023
Through this article, we will explore a simple but creative method to bypass the Canary Tokens that are configured to alert when a specific command is being executed on Windows.
Scenario
1. You just achieved initial access by compromising a workstation/server, through a low-privilege user.
2. Your first command executed on that victim was “whoami”.
3. Your connection was cut off after 2 minutes.