Cloned Website Canarytokens are ideal candidates for login pages. Using this Canarytoken makes it possible to detect website cloning when an attacker's busy building their landing page/s.
As an example, we embedded a Canarytoken within the Active Directory Federation Services (ADFS) login page. Below are some simple instructions required to create and modify a custom ADFS theme including the Canarytoken.
Note: The Powershell commands below were run on the ADFS server to build and apply the newly created theme.
Create a custom ADFS theme
Using Powershell, create a custom ADFS web theme which we'll edit later to include our Cloned Website Canarytoken.
New-AdfsWebTheme –Name custom –SourceName default
Export the default theme
Using the Powershell command below, export the default theme.
Export-AdfsWebTheme –Name default –DirectoryPath c:\theme
Create a Cloned Website Canarytoken
Great, you’ve successfully created your Cloned Website Canarytoken - Let's move forward with the final ADFS configuration items.
Modify the custom theme
Set-AdfsWebTheme -TargetName custom -OnLoadScriptPath "c:\theme\script\onload.js"
Apply the custom theme
Set the "custom" theme as the active theme including the embedded Cloned Website Canarytoken.
Set-AdfsWebConfig -ActiveThemeName custom