Overview
The Browser Cookie Canarytoken creates a browser cookie for a unique Canarytoken domain. If the cookie is sent in a request to its associated domain, or if supported tooling interacts with the cookie, you'll receive an alert.
Attackers commonly target browser cookies when attempting to hijack authenticated sessions, steal credentials, or gather information about a compromised endpoint. Planting a believable browser cookie in locations where cookies are normally stored can help detect attempts to harvest or use browser session data.
By default, Browser Cookie Canarytokens use your Console's unique
o3n.io domain. To make the cookie appear even more convincing
in your environment, you can configure a custom Canarytokens domain.
For
instructions, see
How do I create a custom Canarytokens domain?
Placement Ideas
Good locations for Browser Cookie Canarytokens include:
- User workstations: Deploy Browser Cookie Canarytokens on browsers used to access business applications and internal web services.
- Shared workstations: Place Browser Cookie Canarytokens on shared or operational systems where multiple users access web-based applications.
- Developer workstations: Deploy Browser Cookie Canarytokens on systems used to access development platforms, cloud services, or source code repositories.
- Remote and virtual desktops: Deploy Browser Cookie Canarytokens on VDI or remote desktop environments used to access internal applications.
Follow the steps below to create a Browser Cookie Canarytoken:
Step 1: Log in to your Canary Console
Step 2: Click the Canarytokens Tile
Click the Canarytokens tile or Add a new Canarytoken.
Step 3: Select the Browser Cookie Canarytoken
Select Browser Cookie from the list of available Canarytokens.
Step 4: Create a Reminder for your Canarytoken
- Select Browser Cookie from the Create a new token list.
- Enter a descriptive Reminder.
- Click Create token.
Over time, if you're using Canarytokens correctly, you'll end up deploying hundreds or even thousands of them across your environment.
- Make sure your Reminder is as descriptive as possible. Future-you will thank you when an alert comes in and you immediately know where the token was deployed.
- Nothing is more frustrating than receiving an alert for a token called "test" and having no idea where you placed it.
- For Browser Cookie Canarytokens, it's helpful to include the hostname where the cookie will be deployed.
We chose "Browser Cookie on JIMS-PC" as the reminder
Step 5: Copy the Browser Cookie Canarytoken
Select Copy token to copy the Browser Cookie Canarytoken Install URL.
The Browser Cookie Canarytoken section contains the following:
- Install URL – Displays the unique Browser Cookie Canarytoken URL used to deploy the Browser Cookie Canarytoken.
- Copy token – Copies the Browser Cookie Canarytoken URL to your clipboard, ready to deploy to the target host.
While these Canarytokens can be manually deployed, we recommend automated deployments using headless browsers in practice. When taking that approach it's important that the deployment be scheduled to take place on startup, as it requires the browser to be closed.
Browser Cookie Canarytokens have a limited maximum lifespan of 400 days. Canarytokens can be regenerated and redeployed at any time to replace the existing installation and refresh the cookie's lifespan
Step 6: Deploy the Browser Cookie Canarytoken
- Open the Browser Cookie Canarytoken Install URL in the target browser.
- To verify the deployment, open the browser's cookie settings and confirm that the cookie has been created for the associated domain.
In this example, the Browser Cookie Canarytoken has been deployed for yourtokensdomain, where it is visible as a browser cookie.
Alert
Alert Type: Browser Cookie Canarytoken Triggered
This alert is generated when the Browser Cookie Canarytoken is sent in
a
request to its associated domain. The alert includes details of the
request, including the request path, browser and platform information,
GeoIP details, and the HTTP request headers, including the Browser Cookie
Canarytoken and additional alert information.
You’ve made it!