RDP, cmdkey, Canary (and thee)

Last month Florian Roth (cyb3rops) reacted to the news of Mimikatz dumping RDP credentials by asking how we could easily inject fake credentials into machines. https://twitter.com/cyb3rops/status/1397440903476883458 Markus Neis pointed out that on Windows, cmdkey allows you to do this: https://twitter.com/markus_neis/status/1397472760859856897 This is pretty awesome. Mimikatz is used by attackers the world over and having control of the data a Mimikatzer will see is a powerful tool to have. One route to looking for Mimikatz usage is injecting false credentials into lsass and watch for their usage in Active Directory, but tracking that credential usage will require some work on your domain controllers (or your SIEM). With the RDP service back on version 3 Canaries, we can use cmdkey to point attackers at our Canaries, and not have to worry about Active Directory integration. Let’s start by setting up a Canary as a Windows Server (called \\02-FINANCE-02 ). This will take all of 1 minut