Fake file system Documentations (#58)

thinkst-cs · stavares843 · web-flow · commit 31f6a0e1899c · 2024-12-13T20:28:14.000+02:00
* Create windows-fake-files-token.md

Added Windows Fake File System Folder

* Update windows-fake-files-token.md

Screen shot

* Update windows-fake-files-token.md

Image Update

* Update windows-fake-files-token.md

Updated screen shots and removal instructions

* Update windows-fake-files-token.md

typo

* fix typos

---------

Co-authored-by: Sara Tavares &lt;29093946+stavares843@users.noreply.github.com&gt;
diff --git a/docs/guide/windows-fake-files-token.md b/docs/guide/windows-fake-files-token.md
@@ -0,0 +1,42 @@
+# Windows Fake File System
+
+## What is a Fake File System
+
+Have you ever wanted to create a fake list of sensitive files and receive an alert if one of them is opened or copied?
+
+This simple Canarytoken allows you to set up a fake directory, with context-specific file names and extensions.
+
+This Canarytoken uses the built-in Windows Projected File System, to create and monitor a path.
+
+This is done with a PowerShell script behind the scenes.
+
+
+## Creating a Windows Fake File System Canarytoken
+
+Head on over to [canarytokens.org](https://canarytokens.org/generate) and select `Windows Fake File System`:
+
+![image](https://github.com/user-attachments/assets/e5e85422-aff6-4b19-aec8-55034c5f5a9d)
+
+
+Enter the Path for your folder, email address, or webhook address along with a reminder that will be easy to understand.
+
+Then click Create:
+
+<img width="707" alt="image" src="https://github.com/user-attachments/assets/8f595680-33e6-4957-be02-879193b6905c">
+
+
+Download the .ps1 file to a Windows system. You need to execute this as an Administrator. This installs the Windows Projected File System and creates the scheduled task.
+
+
+
+## How to use this Canarytoken
+
+Once this token is installed, it will create and start a Scheduled Task to spawn the Windows Fake File System Provider.
+
+You can browse to this folder and list files.  This will not trigger an alert. 
+
+If an attacker opens or copies a file, then you will get an alert that lets you know the process and file that was accessed. 
+
+If you would like to remove the task, simply run the PowerShell script again with `-Remove`. This will stop the process managing the folder and remove any artifacts created.
+
+
