Mass token deployment using SCCM/MEM and Powershell

To drop Canarytokens on Windows endpoints, a powershell script can be deployed and executed using Microsoft Endpoint Manager (MEM).

The powershell script on github should be downloaded and configured as a MEM script which will be executed on an applicable Device Collection.

The Powershell Script

The powershell script contains multiple variables that need to set according to your deployment requirements. In this example we'll deploy an AWS API Key to the c:\secret directory on multiple targets. The memo/reminder field will include the hostname of the device so thats it's possible to determine where tokens have been deployed.

The following variables need to be set within the script:

• Domain
  • Your Console domain hash, e.g xxxxyyyy.canary.tools
• FactoryAuth
  • Factory auth key, e.g a1bc3e769fg832hij3
  • Instructions for creating a Canarytoken factory can be found here
• TargetDirectory
  • Directory to create on endpoint, e.g c:\secret
• TokenFileName
  • File name to create on endpoint, e.g aws_secret.txt
• TokenType
  • The type of token to be created, e.g AWS API Key

MEM Script

Using the powershell script, MEM administrators will be able to create a MEM script that will deploy the Canarytokens and apply it to device collections.

Deployment Steps

Create the script

1. Go to “Software Library”, select Scripts and click “Create Script”
   
   
   
   
2. Provide a “Script name”, specify PowerShell as the language and paste the provided script into the “Script” text box.
   
   
   
   
3. Verify that the parameters within the script are configured as expected and make use of double quotes instead of single quotes.
   
   
   
   
4. Finish the script creation and click on “close”.
   
   

Create the script

1. Go to “Software Library” and select the script that you created above. Click on the “Approve/Deny” ribbon item.
   
   
   
   
2. Verify that the Script Parameters are correct and click “next”
   
   
   
3. Select the “Approve” radio button and click “next”.
   
   
   
4. Finish the script approval and click on “close”.

Create a Device Collection

1. Go to “Assets and Compliance” and select “Device Collections”. Click on the “Create Device Collection” ribbon item.
   
   
   
   
2. Go to “Assets and Compliance” and select “Device Collections”. Click on the “Create Device Collection” ribbon item.
   
   
   
3. Select “All Desktop and Server Clients”
   
   
   
4. Click on the “Add Rule” drop down, and select “Direct Rule”.
   
   
   
5. Select an applicable “Attribute name” to filter on. The example filters for all hostnames starting with “WIN”.
   
   
   
6. Select the devices you wish to add to the device collection from the search output.
   
   
7. Click “Close” to return to main Device Collection wizard
   
   
   
8. Confirm that the relevant devices have been added to the “Membership rules” and click “Next”.
   
   
   
   
9. Finish the Device Collection creation and click on “close”.

Run the Script

1. Go to “Assets and Compliance” and select “Device Collections”. Select the “subset_token_collection” device collection and click on the “Run Script” ribbon item.
   
   
   
   
2. Select the script created above and click “next”
   
   
   
   
3. Verify that the parameters within the script are correct, and click “next”
   
   
   
4. Click “close” once the script has completed
   
   
   
5. Verify that the token has been dropped into the specified location
   
   

   You're done! ;-)