Skip to main content

Search

Canarytoken Overview and Use Cases

What are Canarytokens?

Canarytokens can be thought of as digital tripwires. They can quickly and easily be deployed in tons of places. (A side benefit is that once attackers are aware that they are being employed, they slow an attacker down greatly, forcing them to distrust anything they grab on the engagement). 

Canarytokens are free and unlimited, and each Canarytoken you create should only be placed in a single location, and once a token has triggered an alert, it should be deleted and replaced with a fresh one. We have a variety of ways to help you deploy them at scale quickly and easily, so the sky’s the limit when it comes to the number you’d like to create.

Each Canary Console comes with its own Canarytoken server, which means your Console is ready and waiting to start generating Tokens for you to use in your environment. 

Once you’re ready to take a closer look, each token discussed below has a link to its own Knowledge Base article, and you can also read more about Canarytokens in our awesome Birding Guide.

 

Types of Canarytokens

Below are the currently available Canarytokens in your Canary Console:

DNS

Web Bug

Word & Excel

Word & Excel Macro

Acrobat PDF

Sensitive Command

Windows Folder

Custom Exe/Binary

Wireguard VPN

Cloned Website

QR Code

AWS API Key

AWS S3 Bucket

Azure Login Certificate

Slack API Key

Slow/Fast Redirect

Custom Web Image

Office 365 Mailbug

Google Docs/Sheets

Gmail Mailbug

 

Canarytoken Overview and Potential Use Cases

 

dns-cee85305__1_.png DNS

Description: This Token is a FQDN (Fully Qualified Domain Name) which triggers an alert when it is resolved. It only needs a DNS query to function, so it will alert even if the machine it’s triggered from doesn’t have HTTP access to the Internet.

Potential Use Cases:

  • Include a command that resolves this FQDN in a script. This will generate an alert each time the script in question is run.

  • Leave it inside a .bash_history, or an .ssh/config file. An attacker observing an attractive domain name will want to investigate.

  

http-a1be21a9.png Web Bug

Description: This Token generates a URL that triggers an alert when it is accessed. As this token causes a DNS query and then a HTTP connection to the resolved IP, it is able to display the public IP of the machine that has triggered the alert. 

Potential Use Cases: 

  • Use it anywhere you’d use a hyperlink (e.g a Hyperlink in a document, or inside another application where you would want to know if someone had gained access to).

  • Use anywhere a link to a remote asset would be used (e.g. a Web shortcut, a Remote file or font, Bookmarked in a Web Browser).

 

Office Icon in Button UI MS Office 2016 IconsMicrosoft Word, Excel and Macro enabled tokens

Description: These Tokens are documents which trigger an alert when opened in their native applications.

They rely on either DNS and or HTTP queries and are most reliable in situations where you have control over installed applications, internet access and file-type associations.

The macro-enabled varieties of the MS Word and Excel Tokens will also attempt to execute a macro on the client machine to retrieve more detailed information about the person and system being used to open the document.

Potential Use Cases:  

  • Name the file something an attacker would valuable/find interesting (e.g. AWS Break-glass credentials, Server Local Admin Account List, Company Bonus Structure, Onboarding Process, Asset Inventory, Meeting Minutes).

  • Place the token where your legitimate users wouldn’t encounter it, but that an attacker would be able to find/access.

  • For even better coverage place a link to the Windows File Share service on one of your Canaries in the text of the document. If an attacker opens the document on a machine on your network and follows the link, you’ll get both the File Share and Token alert.

  • Pin or share the document in a Slack/Teams channel or other instant messenger services, so that if one of those services is compromised the attacker could discover the tokenised file.

pdf-acrobat-reader-07c9b60e.pngAcrobat PDF

Description: These are PDF documents that notify you when they have been opened in Acrobat/Acrobat Reader. Another document type that should be renamed to something enticing and could contain "valuable" information notifying you that a particular location had been accessed.

Potential Use Cases: 

  • Drop the .pdf into a network share.
  • Leave the .pdf on a web server in an inaccessible directory, to detect Webserver breaches.
  • These tokens can be used in the same way as Word or Excel Tokens.

 

sensitive-cmd-43fd3c37.pngSensitive Command

Description: This Token alerts whenever the specified process runs on the machine you install the token on. For example, you could configure a Sensitive Command Token to alert you every time calculator.exe is run on Workstation12 in your environment. These Tokens work by creating a small registry entry that you run on the target machine (Workstation 12, in our example). 

Potential Use Cases: 

  • Tokenise important/noteworthy executables on critical systems that an attacker would be likely to run once they’ve gained access. Some examples of these would include whoami.exe, mstsc.exe, mmc.exe or other applications like credential managers.

  • Consider monitoring "Living off the land tooling" : WMIC, certutil, cmdkey, cscript, diskshadow, ftp, msconfig, schtasks, procdump, klist, nltest, Sysinternals tools.

  • Unexpected Attacker Tooling : Mimikatz, python, 7zip, nmap, hashcat, wireshark, netcat.

windows-dir-bf4151f9.png Windows Folder

Description: This Token generates an alert when a specific Windows folder is accessed via Windows Explorer. 

Potential Use Cases: 

  • This Token can be useful to identify that a particular location has been accessed/traversed. Place this token in locations on your servers that users would never need to access, and are of high value to an attacker – subdirectories of User Profiles, C:\Program Files, C:\Windows and other system-related locations such as IIS web or ftp roots or SQL installation folders.

signed-exe-dc29402a.pngCustom Exe/Binary

Description: This Token signs a .exe or a .dll with a certificate, and alerts when Windows checks the certificate as part of running the .exe or loading the .dll. 

Potential Use Cases:

  • Tokenize important/noteworthy executables that an attacker would be likely to run once they’ve gained access to a system.
  • Tokenize a binary on a Webserver that creates a connection to a non-existent database.
  • Tokenize a .dll on an application server that's responsible for authentication/encryption (auth.dll).

 

wireguard-a9ef5bf0.png WireGuard VPN

Description: This Token works by creating a fake VPN configuration profile that you then import into Wireguard on your phone, tablet or anywhere else that the Wireguard application is installed. If an attacker compromises a machine, one of the things they will try to do is connect using any saved VPN profile they find to gain further access to important network segments. If they "connect" using the fake VPN credentials in the token, you will get an alert.

Potential Use Cases:  

  • Pre-configure the Wireguard VPN credential sets in Wireguard on all company-issued hardware, or share the QR Code the token generates in the company's instant messaging platform (not in a channel where your employees are likely to come across it).

  • Include the Wireguard credentials in text documents, emails, or other documents, and leave them in locations where attackers would discover them. 

 

cloned-web-45cd37e2.pngCloned Website

Description: This is a snippet of Javascript that you embed into your website code that will check the domain name it is being run on. If the domain the Javascript is running on doesn’t match what you specified when creating the token, it will generate an alert in your Console. 

Potential Use Cases:

  • Use this Token to identify and locate clones/copies of your login/customer portal website that have been created, so that you can respond/take them down quickly and prevent phishing attacks.

 

qr-code-b46ac24c.pngQR Code

Description: This is a QR code that triggers an alert when it is scanned, and then loads a specified webpage on the scanning device. As this token lets you direct the scanning device/utility to any http endpoint, if it’s scanned from a device that is connected to your network you can also point it to the web service on a Canary to get a second alert.

Potential Use Cases: 

  • Leave a screenshot of the QR code in a Slack channel with a message indicating to scan the QR code for MFA setup codes. 

  • Print it and place it in server rooms and other sensitive locations with a message such  “Scan to for network login details”, “Scan for Device Enrolment" or "Join the company WiFi".

  • Stick it inside the chassis of every company-owned PC, with a message saying “Scan for local admin account on this machine” and get notified anytime someone opens a company PC against your policy.

aws-id-1c9821d7.pngAWS API Key

Description: This Token creates a set of credentials that, when used to run an API call on AWS, will trigger an alert. You don't need to use AWS, as the Token links to an AWS instance that belongs to us at Thinkst Canary. Because this Token needs an attacker to be connected to the internet for it to be of any use, you can guarantee that these Tokens will generate an alert every time they are used. 

Additionally, because more interaction is required of an attacker to trigger them (i.e. using them to log in or authenticate to a service), you drastically reduce the risk of a legitimate user accidentally triggering an alert in the normal course of business, so you can leave these Tokens in more widely accessible locations without needing to worry about false positive alerts.

Potential Use Cases:  

  • Embed this Token into emails, code repositories, password managers, or leave in private Git repositories.

  • Include the Token in physical/printed documentation, or store in network/infrastructure design documents or schematics.

  • Leave these credential sets in .txt files or other documents inside user profiles, as attackers are attracted to user profiles as a source of personal/individual information.

  • Share the Token's credentials via email or instant messaging.

 

image.pngAWS S3 Bucket

Description: These Tokens live in your AWS environment and monitor an S3 bucket of your choosing, and generate an alert when the S3 bucket is accessed. They provide better fidelity results than uploading document token-types to your cloud services, as they are designed to not trigger alerts when background processes such as sandboxing and scanning (which routinely occur in cloud storage) take place.

Potential Use Cases: 

  • Use it like any standard S3 bucket, and link to it in documentation, employee onboarding documents, instant messaging channels, via QR code, or anywhere else that you would link to a remote resource.

azure-id-9438a8d8.png Azure Login Certificate

Description: This Token creates a valid set of Azure credentials that, when used to attempt a login to Azure, triggers an alert. Like the AWS API Key token, they need the attacker to be connected to the internet for them to be of any use, so you can guarantee that these Tokens will fire every time they are used. Similarly, because more is required of an attacker to trigger them (i.e. using them to log in or authenticate to a service), you drastically reduce the risk of a legitimate user accidentally triggering an alert in the normal course of business.

Potential Use Cases: 

  • Embed into emails, code repositories, password managers, or leave in private Git repositories or file shares, or pin in a Slack channel.

  • Include in physical/printed documentation, or store in design documentation.

  • Leave these credential sets in .txt files or other documents inside user profiles.

slack-api-2df1b3ce.png Slack API Key

Description: This Token creates a set of credentials that, when used to attempt to connect to Slack, triggers an alert. The same benefits as the AWS API key apply - internet access is required, and there is very low risk of false positives.

Potential Use Cases:

  • Embed into emails, code repositories, password managers, or leave in private Git repositories.

  • Include in physical/printed documentation, or store in design documentation.

  • Leave these credential sets in .txt files or other documents inside user profiles.

  • Share via email or instant messaging.

 

fast-redirect-ce5c5b64.png Slow/Fast Redirect

Description: The Redirect token is a URL that will trigger an alert and then redirect a user to any website you specify. If you place the Redirect Token in a specific location, this Token can tell you that the location has been accessed, similar to a Web Bug Token. It has the added benefit of being able to redirect the person who clicked it onto a harmless website (or the web service on your Canary) after alerting. There are two different types of Redirect Token:

Slow Redirect: This Token runs a browser scanner that collects browser/plugin information before redirecting to the specified URL.

Fast Redirect: This Token does not collect browser or browser plugin information, it simply alerts you when triggered.

Potential Use Cases: 

  • Use in sensitive locations anytime you’d insert a hyperlink or web shortcut.

  • Replace links with these to capture user information before user is redirected to where they want to go.

  • Redirect to Canary web services for alerting from internal machines in your environment.

web-image-063769ec.png Custom Web Image

Description: This Token works by uploading an image of your choice to your Console. The image is then given a URL, and you can link to this image from within any application that supports remote images. When accessed, the image is loaded from the token URL, and triggers an alert in the process.

Potential Use Cases: 

  • The generated link can be included in Web pages, Applications, or anywhere a remote image could be embedded, or simply stored as a shortcut in a browser. 

office365mail-869addf7.png Office 365 Mail Bug

Description: This Token generates an email with customisable subject lines and body that can be placed into user mailboxes in your tenant. If the mail is read, you receive an alert. The mail is marked as read, and inserted into the user’s Archive folder to minimise false positives resulting from the user themselves opening the mail.

Potential Use Cases: 

  • This Token works best when you fill the subject and body of it with keywords and phrases attackers would search for (e.g. Credentials / MFA resets or other sensitive information such as salaries and bonuses). 

  • The email content can include anything, so you can also include links within the mail body to point to Web or File Share services on your Canaries in the event that the mail is read on an internal machine on your network. You could also insert other Tokens such as AWS API keys or Wireguard VPN credentials into the body of the email.

 

Download Free Google Docs Drive Plus Android Document ICON ...Google Docs/Sheets

Description: Similar to a Word or Excel Canarytoken, Google documents can also be tokenised. When the document is opened, an alert will be generated on your Console.

Potential Use Cases:  

  • Name the file something an attacker would value/find interesting, in the same way as you would for an MS Word or Excel token (e.g. AWS Break-glass credentials, Company Bonus Structure, or the like) and place the Token in locations your legitimate users wouldn’t encounter it, but that an attacker would be able to find/access.

  • For even better coverage, inside the tokenised document, place a link to the Windows File Share service on one of your Canaries. If an attacker opens the document from a machine on your network and follows the link, you’ll get both the Token alert and a File Share alert.

gmail-5443640b.png Gmail Mailbug

Description: Similar to the Office 365 Mailbug, this Token generates an email with customisable subject lines and body that can be placed into specified mailboxes in your tenant. If the mail is read, you receive an alert.

Potential Use Cases: 

  • Much the same as the Office 365 Mailbug, this Token works best when you fill the subject and body with keywords and phrases attackers would search for (e.g. Credentials / MFA resets or other sensitive information such as salaries and bonuses). You can configure the content of the email to include anything, so you can also include links within the mail body to point to Web or File Share services on your Canaries, or other Tokens such as AWS or Slack API Keys. 

 

Mass Deployment of Tokens

The good news is that once you’ve tested the Tokens and decided on the ones you’d like to use, you don’t have to worry about deploying large numbers of them manually. We support Mass Token Deployment, and have a number of customisable scripts that can be adapted for your environment. Feel free to have a look at our Github page here, and of course, feel free to reach out to us with any questions.

Was this article helpful?
9 out of 11 found this helpful
Return to top