Description: This token creates fake WireGuard VPN configurations to install on your phone or on servers that will alert when used. The value of this Canarytoken as a signal of compromise, is that the attacker —once they land on your device— will want to check what further privileged access the VPN gets them to spread their compromise further and grab more data. For more on the thinking behind this WireGuard Canarytoken see this blog post.
Step 1:
Log in to your Console.
Step 2:
Select the Canarytokens tile.
Step 3:
Select the WireGuard VPN Canarytoken from the list.
Step 4:
Note: Over time, you will deploy thousands of tokens all over the place. Make sure that your Reminder is as descriptive as possible, and will remind you in the future of where the token was dropped. It may create confusion if a token generated an alert that reads “test" - and not remembering where you placed it.
Give a friendly name to remind you where this WireGuard VPN is configured and click on Create token.
Step 5:
The Canarytoken will then give you two options to deploy the WireGuard VPN Canarytoken.
Deploy using the QR code.
Step 1:
On your phone, open the WireGuard app and click Add a tunnel and then click Create from QR code.
Step 2:
Scan the QR code under the WireGuard VPN Canarytoken
Step 3:
Give the tunnel a name and click Save.
Note: we named our tunnel Head Office VPN
Step 4:
Your WireGuard VPN Canarytoken is now active and waiting for someone to trip on it!
That's it, you're done :-)
How does this Canarytoken alert?
When the connection is activated, you'll be alerted!
Sample Alert:
Deploy using the config file.
Alternatively, if the device you want to add the Canarytoken to doesn't support scanning of QR codes, you can simply download the Canarytoken configuration as a file, and import it into WireGuard:
Step 1:
Download the WireGuard VPN Config File.
Step 2:
On the device you want to install the Token on, open the WireGuard application and click Import tunnel(s) from file.
Step 3:
Select the Token file, and click Allow when prompted.
Step 4:
Your WireGuard VPN Canarytoken is now active and waiting for someone to trip on it!
How does this Canarytoken alert?
When the connection is activated, you'll be alerted!
Sample Alert:
That's it, you're done :-)