Canary Shares
Canary shares are decoy network file shares strategically deployed across an enterprise environment to detect unauthorized network reconnaissance and lateral movement. These honeypot shares are configured with enticing names like "Finance," "Backups," "HR_Documents," or "IT_Admin" and populated with bait files (credentials.xlsx, passwords.txt, database_backup.sql) that appear valuable to attackers but serve no legitimate business function. When adversaries gain initial access to a network, one of their first actions is typically share enumeration to identify accessible resources containing sensitive data, credentials, or pathways to high-value targets. Attackers commonly use built-in Windows commands like net view, net share, and dir \\server\share, as well as offensive tools such as PowerView (Invoke-ShareFinder, Find-InterestingFile), SharpShares, NetExec (netexec smb --shares), SMBMap, Impacket's smbclient.py, Snaffler (for automated credential hunting in shares), and BloodHound collectors that enumerate share permissions. Even legitimate IT tools repurposed by attackers, such as SoftPerfect Network Scanner or Advanced IP Scanner, will trigger canary share detections. Any access to these shares generates Windows Event ID 5140 (network share access) and Event ID 4663 (object access for files within), providing high-confidence alerts with minimal false positives since legitimate users and processes have no reason to access these decoy resources—making canary shares one of the most effective early-warning mechanisms for detecting post-exploitation activity and insider threats.
Share Naming Strategy
\\server\IT_Admin$
\\server\Backup_Archive
\\server\HR_Confidential
\\server\Finance_Reports
\\server\Executive_Data
\\server\Password_Vault
\\server\Domain_Backup
Creating a Canary Share
# Create the folder for the share$SharePath = "C:\CanaryShares\IT_Admin"New-Item -ItemType Directory -Path $SharePath -Force# Create some decoy files in the share$DecoyFiles = @( "domain_admin_passwords.txt", "server_inventory.xlsx", "network_credentials.docx")foreach ($File in $DecoyFiles) { $Content = "=== CONFIDENTIAL - IT USE ONLY ===" Set-Content -Path (Join-Path $SharePath $File) -Value $Content}# Create the SMB shareNew-SmbShare -Name "IT_Admin$" ` -Path $SharePath ` -Description "IT Administration Files" ` -FullAccess "Domain Admins" ` -ReadAccess "Authenticated Users"Write-Host "Canary share created: \\$env:COMPUTERNAME\IT_Admin$"Hidden Share Detection (Dollar Sign Shares)
Hidden shares (ending with $) won't appear in network browsing but will be discovered by tools like:
net view \\server /all- BloodHound
- PowerView
- CrackMapExec
Configuring Share Auditing
# Enable auditing on the share folder$SharePath = "C:\CanaryShares\IT_Admin"$ACL = Get-Acl -Path $SharePath# Create comprehensive audit rule$AuditRule = New-Object System.Security.AccessControl.FileSystemAuditRule( "Everyone", "Read, ListDirectory, ReadAttributes, ReadExtendedAttributes", "ContainerInherit, ObjectInherit", "None", "Success")$ACL.AddAuditRule($AuditRule)Set-Acl -Path $SharePath -AclObject $ACLWrite-Host "Share auditing configured for: $SharePath"
Auditing SMB Access via GPO
This must be enabled via Group Policy to capture network share access events.