Overview
The Windows / macOS Web Shortcut Breadcrumbs creates a web shortcut that points to a Canary running the HTTP or HTTPS Web Server service.
To an attacker, the shortcut appears as a previously accessed internal web application, management portal, dashboard, or operational website.
Attackers commonly inspect Desktop shortcuts, bookmarks, and frequently accessed resources while exploring compromised systems. Placing believable web shortcuts on systems an attacker is likely to explore can help steer reconnaissance and browser activity toward your Canaries.
Placement Ideas
Good locations for Windows / macOS Web Shortcut Breadcrumbs include:
- Administrator workstations: Place shortcuts alongside existing infrastructure management tools, dashboards, and operational resources.
- Shared workstations: Place shortcuts on Desktop locations or shared user profiles where access to internal web applications would be expected.
- Operations and support systems: Place shortcuts near documentation, reports, monitoring tools, or other resources used during day-to-day operations.
Follow the steps below to create a Windows / macOS Web Shortcut Breadcrumb:
Step 1: Log in to your Console
Step 2: Confirm HTTP or HTTPS is enabled on the Canary
Click the Canary you want to use for the Web Shortcut Breadcrumb and confirm that HTTP / HTTPS Web Server is enabled.
Step 3: Open the Breadcrumbs tile on your Flock
Once you have confirmed that the HTTP / HTTPS Web Server is enabled, open the Breadcrumbs tile to create and download the Windows / macOS Web Shortcut Breadcrumb.
Step 4: Select the Breadcrumb
Select Windows / macOS Web Shortcut from the list of available Breadcrumbs.
Web Shortcut Breadcrumbs are available for both Windows and macOS, and can be generated for HTTP or HTTPS services.
If the Breadcrumb you want to create is greyed out, none of the Canaries in the selected Flock have the required service enabled. Enable the required service on a Canary and try again.
Step 5: Select the Canary
1 - Select the Canary from the drop-down list. In this example, we have selected the Internal-Portal-01 Canary.
2 - Select Create to create the Breadcrumb.
If a Canary is not available in the drop-down list, it does not have the service required for this Breadcrumb enabled. Enable the required service on the Canary and try again.
Step 6: Download the Breadcrumb
Select Download Breadcrumb to download the Breadcrumb file.
The download section contains the following:
- crumb – Displays the shortcut configuration that will create the web shortcut.
- Download Breadcrumb – Downloads the file required to deploy the selected Web Shortcut Breadcrumb.
The downloaded file type depends on the Web Shortcut Breadcrumb selected.
Windows Web Shortcut
Downloads a .url file.
macOS Web Shortcut
Downloads a .webloc file.
Step 7: Deploy the Breadcrumb on the target host
Copy the downloaded shortcut file to the target system.
In this example, the deployed Breadcrumb creates a web shortcut named Internal-Portal-01, which is now visible on the Desktop alongside other commonly used resources and operational tools.
Selecting the shortcut opens the associated web service hosted by the Canary.
Alerts
Alert Type: HTTP Login Attempt
This is the standard HTTP Login Attempt alert generated by the Canary.
The alert contains details associated with the login attempt, including
the username and password submitted, requested path, user agent
information, HTTP headers, POST arguments, and additional alert
information.
You’ve made it!