Breadcrumbs are a powerful tool for guiding attackers towards your Canaries. They take the form of profiles or device entries across various different services that an attacker might poke at for vulnerable hosts, leading them directly towards the Canary. This article runs through the creation of breadcrumbs
Breadcrumbs are more dynamic and take slightly more upkeep than Tokens and Canaries. They are relatively short-lived, lasting only until the Canary's settings (or IP) change to invalidate them. If you make changes to a service's port number, or to the name or IP of your Canary, be sure to scatter some more Breadcrumbs to make sure they stay fresh!
Remember that Breadcrumbs act as "lures", attracting bad actors towards your Canaries. You'll want to place them around your environment for hackers to find. Considers locations like your own host, password managers, remote admin tools, machine backups and jump boxes as great areas you'd want to know if an attacker breached.
Available Breadcrumbs
Breadcrumbs are available for the following services:
| Service | Available Breadcrumbs |
| SSH | PuTTY profile, SSH Key pair* |
| File Transfer (FTP) | Windows shortcut, FileZilla profile, WinSCP profile |
| Remote Desktop Protocol | Microsoft Remote Desktop profile |
| Webserver | Windows & MacOS web shortcuts |
| Windows File Share | Windows shortcut |
Credential Breadcrumbs
The SSH Key Breadcrumb generates valid SSH credentials and saves them on your Console. If these credentials are ever spotted in an attack against one of your Canaries, you will receive an additional alert notifying you that the Breadcrumb was used and providing additional context about where it was deployed. Because these Breadcrumbs require additional user input, they are not included when mass downloading crumbs for a Canary.
Step 1: Log in to your Console
Step 2: Open the Breadcrumbs card on your Flock
You must have at least one Canary commissioned in the Flock to create a Breadcrumb. You can also access Breadcrumb creation for a single Canary by navigating to your Canary configuration (as shown below).
Step 3: Choose a Breadcrumb type
Make sure at least one Breadcrumb service is enabled on a Canary in your Flock. If there are none, you can pop into the config for your Canary and enable them.
Step 4: Choose a Canary
You can choose between any Canaries in your Flock that have the required service enabled
The SSH Key Breadcrumb also requires you to enter a reminder. This will be used to notify you if an attacker uses the generated credentials created by the crumb. Other crumbs do not currently track credentials, and don't require a reminder
Step 5: Download and deploy your breadcrumb
Once your Breadcrumb has been generated, download it by selecting the "Download" option in the bottom right of the UI, scatter the crumb on your network by following the instructions given for each individual crumb to deploy it.
Mass Download
Rather than downloading and deploying one breadcrumb at a time for your Canary, you also have the option of downloading each available crumb at once.
Step 1: Navigate to your Canary
Step 2: Go to the Breadcrumbs section:
Make sure at least one breadcrumb service is enabled on your Canary. If there are none, you can pop into the config and enable them. Every breadcrumb service enabled will add additional crumbs to the mass download.
Step 3: Download the Breadcrumb archive:
This will download a zip file containing all of the currently available Breadcrumbs for your Canary, as well as a readme file with instructions for deploying them all.