Canarytokens by Thinkst

What is this and why should I care?

Your Web token is active!

Copy this URL to your clipboard and use as you wish:

Remember, it gets triggered whenever someone requests the URL.

If the URL is requested as an image (e.g. <img src="">) then a 1x1 image is served. If the URL is surfed in a browser than a blank page is served with fingerprinting Javascript.

Ideas for use:

  • In an email with a juicy subject line.
  • Embedded in documents.
  • Inserted into canary webpages that are only found through brute-force.
  • This URL is just an example. Apart from the hostname and the actual token (the random string), you can change all other parts of the URL.

Your DNS token is active!

Copy this hostname to your clipboard and use as you wish:

Remember, it gets triggered whenever someone performs a DNS lookup of the hostname.

The source IP address shown in the alert is the DNS server, not the end user.

Ideas for use:

  • Include in a PTR entry for dark IP space of your internal network. Quick way to determine if someone is walking your internal DNS without configuring DNS logging and monitoring.
  • Leave in a .bash_history, or .ssh/config, or ~/servers.txt
  • Use as a extremely simple bridge between a detection and notification action. Many possibilities, here's one that tails a logfile and triggers the token when someone logs in:
    tail -f /var/log/auth.log | awk '/Accepted publickey for/ { system("host k5198sfh3cw64rhdpm29oo4ga.canarytokens.com") }'
  • Use as the domain part of an email address.

Your Email address token is active!

Here is a unique email address:

Remember, it gets triggered whenever someone sends an email to the address.

Ideas for use:

  • In a database with a USERS table, drop a fake record in there with this email address. If it gets triggered you know someone has accessed your data.

Your MS Word token is active!

You'll get an alert whenever this document is opened in Microsoft Office, on Windows or Mac OS.

You can rename the document without affecting its operation.

Ideas for use:

  • Drop the file on a Windows network share.
  • Leave the file on a web server in an inaccessible directory, to detect webserver breaches.
  • Attach to an email with a tempting Subject line.

Your PDF token is active!

You'll get an alert whenever this document is opened with Acrobat Reader, regardless of the user's security preferences in Reader.

You can rename the document without affecting its operation.

Ideas for use:

  • Drop the file on a Windows network share.
  • Leave the file on a web server in an inaccessible directory, to detect webserver breaches.
  • Attach to an email with a tempting Subject line.

Your Windows Folder token is active!

Unzip this file in a folder, and get notified when someone browses the folder in Windows Explorer. It will even trigger if someone is browsing the folder via a network share!

The alert will include the network domain and username of the browsing user, if present.

Ideas for use:

  • Unzip the file on a juicely named Windows network share.
  • Unzip the file on your CEO's laptop on a folder on their Desktop.

Your Signed Executable token is active!

Save this file and deploy on Windows machines:

Remember, this token is triggered whenever the binary file is executed. For EXEs, this means direct execution and for DLLs, it means they were loaded.

Ideas for use:

  • Decide on a few default binaries commonly used by attackers, and token them.

Your Cloned Website token is active!

Use this Javascript to detect when someone has cloned a webpage. Place this Javascript on the page you wish to protect:

When someone clones your site, they'll include the Javascript. When the Javascript is run it checks whether the domain is expected. If not, it fires the token and you get an alert.

Ideas for use:

  • Run the script through an obfuscator to make it harder to pick up.
  • Deploy on the login pages of your sensitive sites, such as OWA or tender systems.

Your SQL Server token is active!

The next step is to copy the SQL snippet below and run in your SQL Server database.

When the actions are run, your Canarytoken will be triggered.

Since DNS is used as the underlying transport, the Source IP will be that of a DNS server, not the databserver.

Ideas for use:

  • Deploy a SELECT token with a tempting VIEW name such as USER_DETAILS.

Your QR Code token is active!

Use this QR Code to token a physical location or object:

When someone scans the QR Code with a reader, it will trigger the URL tied to your token and fire an alert.

Ideas for use:

  • On containers left in secure locations.
  • Underneath your phone battery when crossing international borders.
  • On your desk.

Your SVN token is active!

Run this SVN command in a dummy repo:

Remember, it gets triggered whenever someone clones the SVN repo.

Don't forget to run

svn commit
after you've added the token.

The source IP address shown in the alert is the DNS server, not the end user.

Ideas for use:

  • Token a dummy SVN repo to detect when attackers are enumerating repos.
  • Token an old repo which shouldn't be touched any longer.

Your AWS key token is active!

Copy this credential pair to your clipboard to use as desired:

This canarytoken is triggered when someone uses this credential pair to access AWS programmatically (through the API).

The key is hyper unique. i.e. There is 0 chance of somebody having guessed these credentials.

If this token fires, it is a clear indication that this set of keys has "leaked".

Ideas for use:

  • These credentials are often stored in a file called ~/.aws/credentials on linux/OSX systems. Generate a fake credential pair for your senior developers and sysadmins and keep it on their machines. If someone tries to access AWS with the pair you generated for Bob, chances are that Bob's been compromised.
  • Place the credentials in private code repositories. If the token is triggered, it means that someone is accessing that repo without permission