Description: Tokens can be disguised as executables or dynamic link libraries too.
This token works by signing a .exe or .dll with a certificate that, when checked for validity, touches your Canary Console.
This means that when the executable is run or the .dll is loaded, an alert is created in your Console.
Note: Leaving the token on a desktop won't do very much until the attacker actually uses it. For .exe's, this means direct execution and for .dlls, upon them being loaded. It's important to plan which files to token, decide on a few binaries that an attacker might use after gaining access to alert you to mischief. For example, a binary called python/powershell.exe might trick an attacker into running your token whilst trying to run some scripts.
Follow the steps below to tokenize a binary.
Step 1:
Log in to your Console.
Step 2:
Click Add a new Canarytoken.
Step 3:
Create a new token by selecting Custom Exe/Binary from the drop-down list.
Step 4:
Modify the reminder text to your desired scenario, upload the .exe or .dll you'd like to tokenize, and click on Create token.
Over time, if you are using tokens correctly, you will deploy thousands of them all over the place. Make sure that your Reminder is as descriptive as possible, and we will remind the future you of where the token was dropped. Nothing sucks more than having a token fire an alert that reads "test" - and not knowing where you placed it.
Reminder: The executable name will be added to the end of your reminder automatically.
i.e Webserver root dir - python.exe
Step 5:
Go ahead and download your token for placement.
Alerts:
An alert is created once the binary has been run.