Skip to main content

Search

MySQL Dump Canarytoken

Description

This Canarytoken alerts when a MySQL dump file is loaded by an attacker. Dump files are used to backup MySQL databases into a single text file, making them attractive to attackers. Simply leave it somewhere where backups are likely to be found, and if it ever fires you know someone has tried to restore it.

Deployment

Head over to your Console and search for the MySQL Dump Canarytoken from the available types. Add a memo to receive when the token fires to remind you where you've placed it.

With your Canarytoken now created, there are two routes for deployment:

  1. Copy the Canarytoken snippet and insert it into a MySQL dump file of your own; or
  2. Download a pseudo-random dump file we make for you which contains generic data that would be expected as part of a backup, and includes the Canarytoken 

Screenshot 2025-01-15 at 13.54.17.png

 

An attacker who tries to restore this file will trip the Canarytoken:

mysql -u root -p newdatabase < ~/Documents/backup-archive-dump.sql

Which results in an alert on the Console:

Screenshot 2025-01-20 at 14.44.08.png

Was this article helpful?
0 out of 0 found this helpful
Return to top