Monitoring Sensitive Windows Commands via CanaryTokens - Deploying Registry Entries via Group Policy

IppSec · Beginner ·🔐 Cybersecurity ·3y ago

00:00 - Intro, you should be using centralized logging for this. But if not this hackjob will do 01:18 - Talking about the Sensitve Command Token 02:00 - Examining how this all works, creates three registry keys for Image File Execution Options and SilentProcessExit 03:50 - Talking about the "So much offense in my defense" phrase. Really loved it, showing a blog about using this technique as a persistence 04:50 - Showing the token works and what the email looked like 05:30 - Ranting more about "so much offense in my defense" and why blue teamers should learn red team techniques 08:20 - Creating a new token so we can deploy this one via Active Directories Group Policy 09:00 - Opening GPMC and creating a registry entry 11:00 - Running gpupdate /force to show the group policy created the registry keys 13:00 - Attempting to get the arguments of our process but failing. Never get this part working. Referenced Blogs: https://blog.thinkst.com/2022/09/sensitive-command-token-so-much-offense.html https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/

Watch on YouTube ↗ (saves to browser)

Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →

HHC2016 - Analytics

HHC2016 - Analytics

HackTheBox - October

HackTheBox - October

HackTheBox - Arctic

HackTheBox - Arctic

HackTheBox - Brainfuck

HackTheBox - Brainfuck

HackTheBox - Bank

HackTheBox - Bank

HackTheBox - Joker

HackTheBox - Joker

HackTheBox - Lazy

HackTheBox - Lazy

Camp CTF 2015 - Bitterman

Camp CTF 2015 - Bitterman

HackTheBox - Devel

HackTheBox - Devel

Reversing Malicious Office Document (Macro) Emotet(?)

Reversing Malicious Office Document (Macro) Emotet(?)

HackTheBox - Granny and Grandpa

HackTheBox - Granny and Grandpa

HackTheBox - Pivoting Update: Granny and Grandpa

HackTheBox - Pivoting Update: Granny and Grandpa

HackTheBox - Optimum

HackTheBox - Optimum

HackTheBox - Charon

HackTheBox - Charon

HackTheBox - Sneaky

HackTheBox - Sneaky

HackTheBox - Holiday

HackTheBox - Holiday

HackTheBox - Europa

HackTheBox - Europa

Introduction to tmux

Introduction to tmux

HackTheBox - Blocky

HackTheBox - Blocky

HackTheBox - Nineveh

HackTheBox - Nineveh

HackTheBox - Jail

HackTheBox - Jail

HackTheBox - Blue

HackTheBox - Blue

HackTheBox - Calamity

HackTheBox - Calamity

HackTheBox - Shrek

HackTheBox - Shrek

HackTheBox - Mirai

HackTheBox - Mirai

HackTheBox - Shocker

HackTheBox - Shocker

HackTheBox - Mantis

HackTheBox - Mantis

HackTheBox - Node

HackTheBox - Node

HackTheBox - Kotarak

HackTheBox - Kotarak

HackTheBox - Enterprise

HackTheBox - Enterprise

HackTheBox - Sense

HackTheBox - Sense

HackTheBox - Minion

HackTheBox - Minion

VulnHub - Sokar

VulnHub - Sokar

VulnHub - Pinkys Palace v2

VulnHub - Pinkys Palace v2

HackTheBox - Inception

HackTheBox - Inception

Vulnhub - Trollcave 1.2

Vulnhub - Trollcave 1.2

HackTheBox - Ariekei

HackTheBox - Ariekei

HackTheBox - Flux Capacitor

HackTheBox - Flux Capacitor

HackTheBox - Jeeves

HackTheBox - Jeeves

HackTheBox - Tally

HackTheBox - Tally

HackTheBox - CrimeStoppers

HackTheBox - CrimeStoppers

HackTheBox - Fulcrum

HackTheBox - Fulcrum

HackTheBox - Chatterbox

HackTheBox - Chatterbox

HackTheBox - Falafel

HackTheBox - Falafel

How To Create Empire Modules

How To Create Empire Modules

HackTheBox - Nightmare

HackTheBox - Nightmare

HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions

HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions

HackTheBox - Bart

HackTheBox - Bart

HackTheBox - Aragog

HackTheBox - Aragog

HackTheBox - Valentine

HackTheBox - Valentine

HackTheBox - Silo

HackTheBox - Silo

HackTheBox - Rabbit

HackTheBox - Rabbit

HackTheBox - Celestial

HackTheBox - Celestial

HackTheBox - Stratosphere

HackTheBox - Stratosphere

HackTheBox - Poison

HackTheBox - Poison

HackTheBox - Canape

HackTheBox - Canape

HackTheBox - Olympus

HackTheBox - Olympus

HackTheBox - Sunday

HackTheBox - Sunday

HackTheBox - Fighter

HackTheBox - Fighter

HackTheBox - Bounty

HackTheBox - Bounty

Related AI Lessons

A Systems-Theory Framework for Managing Burnout in Cybersecurity Teams

Apply systems theory to manage cybersecurity team burnout with targeted interventions, preserving human reliability in high-pressure environments

JWKS Is the Part of OAuth Nobody Explains Until Production Breaks

Learn how JWKS works with OAuth and JWTs to secure your app

Medium · Cybersecurity

HTB Path — AI Defense Walkthrough

Learn how to defend against AI-powered attacks with a walkthrough of the HTB Path AI Defense challenge

Medium · Cybersecurity

I Passed the OSCP on My First Attempt - My Study Plan

Learn how to prepare for the OSCP exam with a focused study plan and methodical thinking under pressure

Medium · Cybersecurity

Chapters (10)

Intro, you should be using centralized logging for this. But if not this hackj

1:18 Talking about the Sensitve Command Token

2:00 Examining how this all works, creates three registry keys for Image File Execu

3:50 Talking about the "So much offense in my defense" phrase. Really loved it, sho

4:50 Showing the token works and what the email looked like

5:30 Ranting more about "so much offense in my defense" and why blue teamers should

8:20 Creating a new token so we can deploy this one via Active Directories Group Po

9:00 Opening GPMC and creating a registry entry

11:00 Running gpupdate /force to show the group policy created the registry keys

13:00 Attempting to get the arguments of our process but failing. Never get this par

Ethical Hacking Career In 60 Seconds | Ethical Hacking Career Roadmap 2026 | #Shorts | #simplilearn