• Categories
  • PAID


  • Share



      CanaryTokens, also known as honeytokens, are not new but can be useful as a source of information. They can be understood as unique identifiers that can be embedded in different places. If they are touched, an alert is triggered.

      We can use canary tokens in different scenarios:

      • Embedded into applications to help in reverse-engineering detection
      • Detect when someone triggers the canary by activating the token (for example, via a “target file” especially dropped in a private folder. When this file is accessed by an unauthorized user, an alert is generated)

      Use-case scenarios:

      • Get an alert when a PDF document is accessed
      • Get an alert when a Windows folder in browsed in Windows Explorer
      • Trigger an alert when a website is cloned
      • Obtain an alert when an application is reversed


      (1) Get an alert when a PDF document is accessed

      This can be achieved by placing a token in the document meta-data, giving us a reliable ping when the document is opened. The CanaryTokens platform generates both a Word and a PDF document.

      So we can drop the file on a Windows network share or leave the file on a Web server in an inaccessible directory to detect possible breaches.

      As a next step, we need to create a new canary token and drop the generated file in a protected directory in a Microsoft Windows operating system: c:unautorized_directorypasswords.pdf.

      When someone accesses and opens this file (e.g., an adversary), an alert is triggered.




      The token reminder is also described in the email in order to identify its origin. Note that this information was input during the creation of the canary token.

      By clicking on “Manage this Canarytoken here,” the operator can disable the canary token. When the link “More info on this token here” is clicked, the user can access a page where more information is presented.

      Note that it is also possible to export all the data in a JSON or CSV file format.


      (2) Get an alert when a Windows folder is browsed in Windows Explorer

      This kind of token can be used in some cases, such as:

      1. Unzip the file on a temptingly-named Windows network share
      2. Unzip the file on the CEO’s laptop on a folder on their desktop in order to detect suspicious access attempts

      To carry out this task, we need to create a folder named “protected” in the C: drive.

      Windows provides an even better way to get notified, in the form of the venerable old desktop.ini configuration file. Dropping a desktop.ini file in a folder allows Explorer to set a custom icon for a file. Since this icon can reside on a remote server (via a UNC path), using DNS we can effectively make use of a token as our icon file.

      [.ShellClassInfo] IconResource=%USERNAME%.%USERDOMAIN%.INI.kdh1.canarytokens.comresource.dll

      This configuration allows the generation of a notification any time someone browses the directory in Explorer and can prevent data breaches or unauthorized accesses.


      (3) Trigger an alert when a website is cloned

      Canary tokens can also be used to detect when a website is cloned by an adversary. For that, we need to access the platform and pick the option “Cloned Website.” The canary token server can also send a notification if a Web page is copied (and hosted on another top-level domain). This is usually the first step in a well-executed phishing campaign. By clicking the “Create my Canarytoken” button, this snippet of code is presented. You can see our example to the right, using our example website.

      The generated source code is very simple to understand:

      1. Load in client browser
      2. Check if URL is https://resources.infosecinstitute.com. If not, it loads the canary token and generates a new alert

      When someone clones the website, they’ll include the JavaScript. When the JavaScript is run, it checks whether the domain is expected. If not, it activates the token and an alert is triggered.

      To make it difficult to “detect” by hackers, we can:

      1. Run the script through an obfuscator to make it harder to pick up
      2. Deploy it on the login pages of your sensitive sites, such as OWA or tender systems


      (4) Receive an alert when an application is reversed

      By reversing an application such as a Java application, an APK or .NET executables, attackers can access data embedded in that files. This data may include API keys, secret keys, passwords and other sensitive information.

      To do this, we can use a URL encoded or even obfuscated with base64. With this trick, it looks like a legitimate website URL, causing the attacker to click on the URL and triggering the alert.

      The CanaryTokens platform has a feature that can be used to generate AWS S3 tokens. Let’s use it.

      This canary token is triggered when someone uses this credential pair to access AWS programmatically (through the API).

      The key is hyper-unique: There is zero chance of somebody having guessed these credentials. If this token fires, it is a clear indication that this set of keys has “leaked.”

      Ideas for use:

      1. These credentials are often stored in a file called ~/.aws/credentials on linux/OSX systems. Generate a fake credential pair for your senior developers and sysadmins and keep it on their machines. If someone tries to access AWS with the pair you generated for Bob, chances are that Bob has been compromised
      2. Place the credentials in private code repositories. If the token is triggered, it means that someone is accessing that repo without permission