Each Canary can take on the personality of real systems that you have deployed on your network (and maybe some that you don't), and the profiles are based on the OS and services attributes. These are called "personalities". Currently, the Canary can emulate any one of the following personas at a time:
Windows:
- Windows Server 2019 Office Fileshare
- Windows Server 2016 Office Fileshare
- Windows Server 2012 Office Fileshare
- Windows Server 2008 Office Fileshare
- Windows Server 2003 Office Fileshare
- Windows Server 2000 Office Fileshare
- Windows XP Desktop Fileshare
- Windows 7 Desktop Fileshare
- Windows 8 Desktop Fileshare
- Windows 10 Desktop Fileshare
- Microsoft AD Domain Controller 2019
- Microsoft AD Domain Controller 2016
- Microsoft AD Domain Controller 2012
- MS Sharepoint 2010
- IIS 7
- IIS 10
Linux:
- Standard Linux Server
- Linux Database Server
- Linux Proxy Server
- CentOS 7 Server
- Oracle Enterprise Linux 6
- Oracle Enterprise Linux 7
- Oracle Enterprise Linux 8
Apple:
- Mac OS X Fileshare
Networking:
- Dell Switch
- Integrated Dell Remote Access Controller
- Cisco Router
- Cisco VoIP Phone
- Cisco SSL VPN
- SonicWALL NSA 220 Firewall Appliance
- Citrix Gateway
- Palo Alto Firewall
- F5 BIG-IP Edge Gateway
- Check Point Mobile VPN
- Pulse VPN
- Juniper SRX 550
Vendors:
- Canon ImageRUNNER 2525
- CUPS Service
- DiskStation NAS
- HP iLO Server
- IBM z/OS Mainframe
- JBoss Login
- Jenkins Login
- Jira
- Joomla Server
- Kibana Server
- Outlook Web Access
- SAP NetWeaver Windows Server
- Solarwinds
- Sophos User Portal
- Sophos Web Console
- Splunk Linux Server
- Splunk Windows Server
- VMware ESXi 7 Server
- VMware ESXi Server
- VMware vCenter 7 Server
SCADA:
- Rockwell Automation PLC
- Siemens Simatic PLC
- Hirschmann RS20 Industrial Switch
Note: Canaries are configured to emulate the above personalities, which means no licenses (e.g. Microsoft License) or OS images are required when configuring your Canary.
The personality emulation goes beyond just an Operating System fingerprint and some port listeners though, we do a bunch of stuff behind the scenes to make sure your Canaries also talk the right protocol for each of their services as well. So if your Canary has been set up as a SCADA device, it will talk proper Modbus protocol too!
The figure below shows a port and OS scan performed on a Canary, which has been configured as a Cisco router.
As can be seen, we “spoof” the MAC address (so it looks legit) and the actual OS identifies as a version of
IOS running on Cisco kit. To get this result, we take things like TTL response times, TCP Sequencing, OS fingerprint, etc. into account, so all that an attacker sees is a Cisco device, and you get an alert when any of the services are touched.
Below is a full list of available services that any Canary can emulate :
- Portscan Detection
- Webserver - HTTP / HTTPS
- SSH
- File Transfer (FTP)
- MySQL
- Web Proxy
- Microsoft SQL Server (MSSQL)
- Windows File Share (SMB)
- Telnet
- TN3270
- File Transfer (TFTP)
- VNC
- Time Server (NTP)
- VOIP (SIP)
- GIT Repository
- Redis
- Modbus
- MongoDB Database
- Remote Desktop Protocol (RDP)
- Windows Remote Management
- LDAP
Custom TCP Services :
Our custom TCP service allows you to create any number of services on your Canary. For example, you could add TCP/25 to your Canary to have it emulate the SMTP service. Any activity detected on this port will generate an alert. Click here for our guide on setting up custom TCP Services.