Showing posts from September, 2022

Sensitive Command Token - So much offense in my defense

Introduction:  Many people have pointed out that there are a handful of commands that are overwhelmingly run by attackers on compromised hosts (and seldom ever by regular users/usage). Reliably alerting when a user on your code-sign server runs whoami.exe can mean the difference between catching a compromise in week-1 (before the attackers dig in) and learning about the attack on CNN. Introducing our new Sensitive Command Canarytoken. This quick/simple Canarytoken alerts you any time your chosen command is executed on a host.  For example: This token creates registry keys to alert you anytime whoami.exe runs on a host. If an attacker lands on the server and runs whoami.exe (as most attackers almost instinctively do) they get the results they expect. And you get an alert to let you know that something bad is afoot. Why this token? In nearly every ransomware report, we can see attackers running a series of predictable commands on endpoints.