Cloned Website Canarytokens are ideal candidates for login pages. Using this Canarytoken makes it possible to detect website cloning when an attacker's busy building their landing page/s.
As an example, we embedded a Canarytoken within the Active Directory Federation Services (ADFS) login page. Below are some simple instructions required to create and modify a custom ADFS theme including the Canarytoken.
To maximise the value of this Token it's suggested to make use of A custom Canarytoken domain and obfuscating the JavaScript that the Token generates.To obfuscate the Token's JavaScript, and we would recommend it, simply toggle on "Obfuscate Script" for the Token in your Canary Console.
The Powershell commands below were run on the ADFS server to build and apply the newly created theme.
Create a custom ADFS theme
Using Powershell, create a custom ADFS web theme which we'll edit later to include our Cloned Website Canarytoken.
New-AdfsWebTheme –Name custom –SourceName defaultExport the default theme
Using the Powershell command below, export the default theme.
Export-AdfsWebTheme –Name default –DirectoryPath c:\themeCreate a Cloned Website Canarytoken
Check the guide here.
Embed the Canarytoken Script
Great, you've successfully created your Cloned Website Canarytoken — Let's move forward with the final ADFS configuration items.
After creating your Canarytoken using the guide linked above, embed the token Javascript into the exported theme at c:\theme\script\onload.js.
If you went ahead and configured a custom domain, and obfuscated the javascript your onload.js file should look something like this:
Modify the custom theme
Modify the newly created "custom" theme to include the modified Javascript like above.
Set-AdfsWebTheme -TargetName custom -OnLoadScriptPath "c:\theme\script\onload.js"Apply the custom theme
Set the "custom" theme as the active theme including the embedded Cloned Website Canarytoken.
Set-AdfsWebConfig -ActiveThemeName custom