Bypass Canary Tokens for Monitored Commands

Through this article, we will explore a simple but creative method to bypass the Canary Tokens that are configured to alert when a specific command is being executed on Windows.

Scenario

1. You just achieved initial access by compromising a workstation/server, through a low-privilege user.

2. Your first command executed on that victim was “whoami”.

3. Your connection was cut off after 2 minutes.