Cloned Website Canarytokens are ideal candidates for login pages. Using this Canarytoken makes it possible to detect website cloning when an attacker's busy building their landing page/s.
As an example, we embedded a Canarytoken within the Active Directory Federation Services (ADFS) login page. Below are some simple instructions required to create and modify a custom ADFS theme including the Canarytoken.
To maximise the value of this token it's suggested to make use of A custom Canarytoken domain and obfuscating the JavaScript that the token generates. We made use of https://obfuscator.io/ for obfuscation and we'll cover this in the below steps.
Note: The Powershell commands below were run on the ADFS server to build and apply the newly created theme.
Create a custom ADFS theme
Using Powershell, create a custom ADFS web theme which we'll edit later to include our Cloned Website Canarytoken.
New-AdfsWebTheme –Name custom –SourceName default
Export the default theme
Using the Powershell command below, export the default theme.
Export-AdfsWebTheme –Name default –DirectoryPath c:\theme
Create a Cloned Website Canarytoken
Great, you’ve successfully created your Cloned Website Canarytoken - Let's move forward with the final ADFS configuration items.
After creating your Canarytoken using the guide linked above, embed the token Javascript into the exported theme at c:\theme\script\onload.js.
If you went ahead and configured a custom domain, and obfuscated the javascript your onload.js file should look something like this:
Modify the custom theme
Modify the newly created "custom" theme to include the modified Javascript like above.
Set-AdfsWebTheme -TargetName custom -OnLoadScriptPath "c:\theme\script\onload.js"
Apply the custom theme
Set the "custom" theme as the active theme including the embedded Cloned Website Canarytoken.
Set-AdfsWebConfig -ActiveThemeName custom