Canarytokens

# Sensitive Command Token

# What is a Sensitive Command token

Have you ever wanted a quick alert if an unexpected Windows process runs on a host?

This simple Canarytoken allows you to set up a quick alert when you want to know any time a specific command is executed.

This token creates a registry key and sends an alert to you in near real-time that the command of interest had been executed.

# Creating a Sensitive Command token

Head on over to canarytokens.org (opens new window) and select Sensitive command token:

image

Enter your email address, or webhook address along with a reminder that will be easy to understand, as well as the name of the program you want to alert on.

then click Create:

image

Download the .reg file and an install it on a Windows 10 or Windows 11 system.

image

You can do this from an Administrative Command Shell.

reg import <filepath\filename.reg>

# How to use this token

Once installed (with admin permissions) you'll get an alert whenever someone (or someone's code) runs your sensitive process. It will automatically provide the command used, computer the command ran on, and the user invoking the command.

Ideal candidates are executables often used by attackers but seldom used by regular users (e.g., whoami.exe, net.exe, wmic.exe, etc.).

You can use this for attacker tools that are not present on your system (e.g., mimikatz.exe), and if they are ever downloaded and run you'll get an alert!

Use a network management tool to deploy across your organization.

The alert will display the username and the hostname the command was executed on.

SVN Token