Skip to main content

Search

Deploying Canarytokens using Crowdstrike Falcon

Using Crowstrike Real Time Response, we're able to deploy Canarytokens onto various endpoints. Below we'll walk through the configuration required to execute a Powershell script onto an endpoint configured with the Falcon agent.

The script will perform the following:

  1. Create a new AWS API key Canarytoken
  2. Download an enticing MS Word document from a private Github repository
  3. Tokenise the downloaded MS Word document
  4. Embed the AWS API key into the document
  5. Perform Timestomping on the newly placed stacked Canarytoken

There's no need to go this complex, a simple token would do, but we figured we'd experiment with automated token stacking.

Github

Personal access token

We'll create a personal access token on Github. The purpose of the token is to allow us to download an MS Word template from a private Github repository. The template can contain some enticing information and should include some text which the script will replace with an AWS API key Canarytoken

Head over to your Github account, go to "settings" and finally "Developer settings" (Or click on the link here). Create a new token by clicking the "Generate new token" button. You can set the lifetime of the token to a little as possible and reduce the scope of the token to "repo" only.

new_access_token.png

Private repository

Create a new private repository where you will host your MS Word template. Head over to https://github.com/new, select the private repository radio button and click on "Create repository".

private_repo.png

Template MS Word document

Next, we'll create an MS Word document (sample.docx) containing some enticing text as well as two placeholders. This can be any unique text ("meep", "sheep") that we'll replace with an AWS API key.

word_template.png

Upload the document to your private repository either using git cli or by simply clicking the "add file" button on the user interface.

upload_file.png

Now we're ready to configure Crowdstrike and make some final adjustments to the tokenisation script.

Crowdstrike Configuration

Host Group

In your Crowdstrike Console, head over to "Host setup and management" then select "Host groups" and create a group of hosts you would like to deploy Canarytokens onto.

host_group.png

The new Host group will be empty, and we'll need to assign hosts and a response policy to the group. Click "Add Hosts" and select the applicable hosts.

add_hosts.png

Response Policy

In your Crowdstrike Console head over to "Host setup and management" then select "Response Policies" and create your policy.

policy.png

Next select "Real Time Response" and enable "Custom Scripts" on the policy. Subsequently "Enable" and "Save" the policy.

response_policy.png

Click on the "ASSIGNED HOST GROUPS" tab and select the host group created above.

add_hostgroup_to_policy.png

Response Scripts and Files

Now that we've configured the relevant hosts and permissions to execute scripts, we need to upload the script to CrowdStrike. We'll need to make some modifications to the script and upload it.

Download Invoke-EmbedWordwithAWS.ps1 and modify the following variables:

Replace the empty "Domain" and "FactoryAuth" variables with your applicable values.

(Get-Content .\Invoke-EmbedWordwithAWS.ps1) | %{ $_ -replace "Domain = '1234abc.canary.tools'", "Domain = 'xxxxyyyy.canary.tools'"} | Set-Content .\Invoke-EmbedWordwithAWS.ps1
(Get-Content .\Invoke-EmbedWordwithAWS.ps1) | %{ $_ -replace "FactoryAuth = 'a1bc3e769fg832hij3'", "FactoryAuth = 'aaaaaaaaaaaaaaabbbbbbbbbbbbbbbbb'"} | Set-Content .\Invoke-EmbedWordwithAWS.ps1

Substitute the value within the "pathToTemplateFile" with your newly created repository and template file. Private Repo's use the github API and it's URL should should follow the format of https://api.github.com/repos/repo_owner/private_repo_name/contents/sample.docx

(Get-Content .\Invoke-EmbedWordwithAWS.ps1) | %{ $_ -replace "pathToTemplateFile = 'https://api.github.com/repos/repo_owner/private_repo_name/contents/sample.docx'", "pathToTemplateFile = 'https://api.github.com/repos/tkempheks/vigilant-chainsaw/contents/sample.docx'"} | Set-Content .\Invoke-EmbedWordwithAWS.ps1

Substitute the values within the "FindText" and "FindText2" variables. In the document above these values were set to "meep" and "sheep". The script will replace meep and sheep with valid AWS API key credentials.

(Get-Content .\Invoke-EmbedWordwithAWS.ps1) | %{ $_ -replace "FindText = 'AKIASJ2WZMVFQGNWG4HA'",
"FindText = 'meep'"} | Set-Content .\Invoke-EmbedWordwithAWS.ps1
(Get-Content .\Invoke-EmbedWordwithAWS.ps1) | %{ $_ -replace "FindText2 = 'zXqAw2NlqNdha1IVCBNkIdv74AdfPw6MMb6xKBw5'",
"FindText2 = 'sheep'"} | Set-Content .\Invoke-EmbedWordwithAWS.ps1

Substitute the "Personal_Access_Token" variable with the token created in Github.

(Get-Content .\Invoke-EmbedWordwithAWS.ps1) | %{ $_ -replace "Personal_Access_Token = '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'",
"Personal_Access_Token = 'ghp_9Ue8C5uaaaaaBmW8yf3HbbbbbGiX90SWEaa'"} | Set-Content .\Invoke-EmbedWordwithAWS.ps1

Finally, substitute the values in the "mainFolder" and "randomCanaryToken" array. This will create a randomised folder structure and filename for your stacked Canarytoken.

(Get-Content .\Invoke-EmbedWordwithAWS.ps1) | %{ $_ -replace "'Application1','Application2','Application3'",
"'VMware','Cisco','Splunk'"} | Set-Content .\Invoke-EmbedWordwithAWS.ps1

(Get-Content .\Invoke-EmbedWordwithAWS.ps1) | %{ $_ -replace "'doc1.docx', 'doc2.docx'",
"'backup_credentials.docx', 'access_information.docx'"} | Set-Content .\Invoke-EmbedWordwithAWS.ps1

Head over to "Host setup and management" then select the "CUSTOM SCRIPTS" tab and hit the "Create script" button.

response_script.png

Give the script a name, copy the modified contents into the "SCRIPT" text box and hit "CREATE".

create_scrip.png

Now we can execute the script using Crowdstrike Falcon and confirm that our template document has been tokenised and embedded with an AWS API Key Canarytoken.

Real Time Response

Using Real Time Response we can now establish a shell onto our endpoint and execute the script we uploaded. Navigate to your host under Host Management and hit the "Connect to Host" button.

connect_to_host.png

With the interactive shell on the host execute the script. This can be achieved by typing out the full command "runscript -CloudFile="deploy_stacked_canary_token" or by clicking on the "SCRIPT NAME" under the "Custom scripts" tab. This will automatically type out the above mentioned command. Click on the "RUN" button.

runscript.png

Real Time Response (Optional)

It's also possible to automate the deployment leveraging the Crowdstrike Falcon API. Below are the steps to execute the script using the API. In your Crowdstrike Console, head over to "Support and resources" then select "API clients and keys" and create a new API client.

cs_api_client.png

Enter a "CLIENT NAME", "DESCRIPTION" and select the necessary permissions as indicated below.

cs_api_client_2.png

Creating the API now provides a client_id and client_secret which are required in the API calls below.

The following API calls can be made to execute the script onto various endpoints. Replace the "client_id" and "client_secret" with your applicable values to obtain a valid bearer token.

curl -X POST \
--data-binary 'client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET' \
https://api.us-2.crowdstrike.com/oauth2/token

The command produces a bearer token required in the subsequent API calls:

eyJhbGciOiJSUzI1NiIsImtpZCI6InB1YmxpYzo3ODdlZjkxZC01YzMxLTQ3YzktYjg0Ni1kNDIzNTk1M2FmYWEiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOltdLCJjbGllbnRfaWQiOiI5ZGRiYjYwZThiM2I0ODI3OWFlNWRiOWUwZTgyMGM5MSIsImV4cCI6MTY1NzU2MDMxOSwiZXh0Ijp7fSwiaWF0IjoxNjU3NTU4NTE5LCJpc3MiOiJodHRwczovL2FwaS5jcm93ZHN0cmlrZS5jb20udG9kby8iLCJqdGkiOiJlNDM1YmNiMi1jNmIzLTRkMTctOTkyMy0zOWFiNWQwYzE0YjIiLCJuYmYiOjE2NTc1NTg1MTksInNjcCI6W10sInN1YiI6IjlkZGJiNjBlOGIzYjQ4Mjc5YWU1ZGI5ZTBlODIwYzkxIiwic3ViX3R5cGUiOm51bGx9.iILADwruTaLsVvihVqFBN5p_ctBRuWb_xYp07uXkokI8xFrCNaLu41bzxu2r4l-qi1760P6oTfyGcoJTU3PHzQZ9wwKfvu42JBsXQunNbZhsL6ME_1MdL6R56gPA9_5z567q8Jcp70MGHmtPlNdQWTiSxp2hhxFNqcgKRZ1iee6mZsTq6KAoT34luMhG-TES_Kx2O2m646IAyYqvR93iDdGenNu3LvWDPfRim-bmOspxOQzyagMMG4J-WI5nDvQzauNczh3GuX1y80AoddqepbskaaC5ijNhKyIhA2lLcS9tYdrqBO3JKb_TR4wc4b1ntWCSXOM_pJ5dUfJjLNkl9aLaVUkZAcCkJWtqL6vcgrcb9scaM5zeSTuh-cm-DKtzuhiayxI1Rm5xeShVIZ2z7UUGFcS2isGzglxI3v2czbZdu0UVDh3OY00kvz1zx4wO9Sjz1dVtJA33OdegQAzdYmnl7FSarJvaztOIiacB9Of6mxY8VEGGHoAqwdfSf5F_lGWgJDFbpf9exUzUHSTCFaFiEvJl2mOeNw_usAEh18c0SK7M-TjdUZtyvc26cUJjFlWzkBgmlUEPxZ9UCMDEyXAQLCWIKg3beOhp1L28POo4PeMbzUcMTRvFNi9y-YWKvwJQcoHBwF5khsdalSGH0-vuCh_rRqAiFiRyEVlR_mY

Using the above bearer token grab the host ID you want to deploy the tokens onto.

curl -X GET "https://api.us-2.crowdstrike.com/devices/queries/devices/v1" -H "authorization: Bearer YOUR_BEARER_TOKEN"

The command produces host id's and we'll grab the host ID we want to deploy the token onto.

11355ed91zzz471d8b7fdccac6933096

The next step is to open a real-time-response session and thereafter we'll use the session to execute the same script as above.

curl -X POST "https://api.us-2.crowdstrike.com/real-time-response/combined/batch-init-session/v1?timeout=30&timeout_duration=30s" -H "authorization: Bearer YOUR_BEARER_TOKEN" -H "Content-Type: application/json" -d "{ \"host_ids\": [ \"YOUR_HOST_ID\" ], \"queue_offline\": true}"

The command produces a session_id which is required to execute a command on the endpoint.

c589edf2-1362-4b3c-a444-71630a67d508

Now we have all the information required to execute the runscript command via the API.

curl -X POST \
-H 'Authorization: Bearer YOUR_BEARER_TOKEN' -H $'Content-Type: application/json' \
--data-binary $'{ \"base_command\": \"runscript\", \"command_string\":\"runscript -CloudFile=\\\"deploy_stacked_canarytoken\\\" -CommandLine=\\\"\\\"\", \"device_id\": \"YOUR_DEVICE_ID\", \"id\": 0, \"persist\": true, \"session_id\": \"YOUR_SESSION_ID\"}' \
https://api.us-2.crowdstrike.com/real-time-response/entities/active-responder-command/v1

Now you've deployed the tokens onto the endpoint manually, or by performing a couple API calls mentioned above. Next step, have a look at the alerts.

Canary Alerts

The result is an MS Word Canarytoken dropped in the "C:\ProgramData\Splunk\Backup" folder containing an embedded AWS API key Canarytoken. We'll open up the document which triggers the initial alert and subsequently perform an AWS API call to verify that they key triggers an alert as expected.

token_deployed.png

Opening up the document above produces the following alert:

ms_word_alert.png

The subsequent AWS API call produces the following alert:

aws_alert.png

Was this article helpful?
39 out of 44 found this helpful
Return to top