Skip to main content

Search

Creating Breadcrumbs for your Canaries

Breadcrumbs are minimal, deliberately positioned decoys that lure attackers to your Canaries by simulating real device entries or service profiles. They can show up in tools such as PuTTY, FileZilla, password managers, and web shortcuts, making them appealing targets for adversaries scanning for weak spots. This article explains where to place breadcrumbs, how they respond when Canary configurations are altered, and offers a detailed step-by-step guide for creating, downloading, and deploying both individual and bulk breadcrumb packages to ensure your environment remains protected.

Overview

Breadcrumbs are designed to guide attackers toward your Canaries by resembling the kinds of useful references, shortcuts, and access details they expect to find while exploring an environment.

They can appear as connection profiles, shortcuts, host entries, saved sessions, or other pointers that quietly lead to Canary services.

For example, an attacker exploring a compromised host might discover:

  • a Remote Desktop (RDP) shortcut
  • An SSH host entry with an associated private key
  • a saved WinSCP session
  • a bookmarked internal web service

Breadcrumbs create additional paths for attackers to discover and interact with your Canaries.

By placing Breadcrumbs in realistic locations throughout your environment, you increase the likelihood of attacker interaction and gain high-fidelity alerts when those resources are accessed.

Breadcrumbs help you know when it matters!

Breadcrumbs vs Canarytokens

Breadcrumbs are not Canarytokens.

Canarytokens are standalone tripwires that generate alerts when interacted with.

Breadcrumbs are tied directly to services enabled on your Canaries and are designed to appear as familiar, trusted parts of an environment attackers are already exploring.

Available Breadcrumbs

Service Breadcrumbs
SSH 🔑 SSH Key
💻 PuTTY Profile
FTP 📁 FileZilla Profile
📁 WinSCP Profile
🖥️ Windows FTP Shortcut
RDP 🖥️ RDP Profile
HTTP / HTTPS 🌐 Windows Web Shortcut
🌐 macOS Web Shortcut
SMB File Share 📂 Windows SMB Shortcut

Placing Breadcrumbs

The best Breadcrumbs are the ones attackers believe belong there.

Breadcrumbs work best in locations attackers are likely to investigate during post-compromise activity, but that ordinary users rarely interact with during day-to-day work.

Different Breadcrumb types naturally fit in different locations:

  • SSH entries fit naturally on jump boxes, administrator systems, and developer workstations.
  • RDP profiles work well on administrator and support workstations.
  • SMB and FTP shortcuts make sense on shared systems, file servers, and operational infrastructure.
  • Web shortcuts work well for internal dashboards, management portals, and administrative services.

Common Breadcrumb placement locations include:

  • Password managers
  • Remote administration tools
  • Jump boxes
  • Administrator workstations
  • Backup systems
  • Shared administrative systems
  • Configuration repositories

The most effective Breadcrumbs are the ones attackers believe belong there. Place them where they appear natural and consistent with the surrounding environment.

Deploying at Scale

Breadcrumbs can be generated and deployed in bulk using the Canary API and existing deployment tooling.

Many teams deploy them using:

  • Microsoft Intune
  • Ansible
  • CrowdStrike
  • Endpoint management and software deployment platforms

For automated deployments, Breadcrumbs can also be generated via the API using deployment-only API keys, allowing teams to securely generate and deploy Breadcrumbs at scale without granting broader Console access.

Breadcrumb Guides

Choose a Breadcrumb type below for deployment instructions and placement ideas.

SSH:

  • SSH Key - Makes a Canary appear as a trusted SSH host that administrators or automation systems already access.
  • PuTTY Profile - Makes a Canary appear as an SSH system administrators already connect to using PuTTY.

FTP:

  • FileZilla Profile - Makes a Canary FTP service appear as an existing operational file transfer endpoint.
  • WinSCP Profile - Creates a believable saved file transfer session for administrative or operational workflows.
  • Windows FTP Shortcut - Makes a Canary FTP service appear as a previously accessed internal file location.

RDP:

  • RDP Profile - Creates a believable Remote Desktop path toward a Canary system.

HTTP / HTTPS:

SMB File Share:

Next Steps

Choose Breadcrumbs that align with:

  • The services enabled on your Canaries
  • The systems attackers are likely to explore
  • The workflows already present in your environment

Then deploy them in locations where they appear natural and believable to an attacker. A good approach is to place Breadcrumbs where they are likely to be followed by an attacker and lead to interaction with a Canary, while avoiding unnecessary noise from ordinary users.

Note

Breadcrumbs make your Canaries more discoverable by creating additional paths that lead attackers toward Canary services, increasing the likelihood of early detection during post-compromise activity.

thinkst-canary-inyoni.gif

Was this article helpful?
3 out of 3 found this helpful
Return to top