Intrusion detection with Canary Token

A canary token is a unique one-time generated link designed to detect if someone interacts with it in some way. The link is embedded in a several type of files, folders or even databases.

There are number of option to do so:

  • URl token alerts when a URL is visited
  • DNS token alerts when a hostname is requested
  • AWS key alerts when AWs key is used
  • Azure Login Certificate is a azure service principal certificate alerts when used to login with
  • Sensitive command token alerts when a suspicious Windows command is run
  • Microsoft Word document alerts when a document is opened
  • Microsoft Excel document alerts when excel document is opened
  • Credit Card token alerts when a transaction is attempted on credit card
  • Kubeconfig token alerts when a Kubernetes config is used/changed
  • WireGuard VPN alerts when WireGuard VPN client config is used
  • Cloned website triggers an alert when web site is cloned
  • QR code generates a QR code for physical token
  • MySQL dump alerts when a MySQL dump os loaded
  • Windows folder alerts when a Windows folder is visited in Windows Explorer
  • Log4Shell alerts when a log4j log line is vulnerable to CVE-2021-44228
  • Fast redirect alerts when URL is visited. Visitor is redirected
  • Slow redirect alerts when a URL is visited. Visitor is redirected and more information is grabbed
  • Custom image web token alerts when an image uploaded is viewed
  • Acrobat Reader PDF document alerts when a PDF is opened
  • Custom exe/dll fires an alert when EXE or DLL is executed
  • Microsoft SQL Server alerts when MS SQL Server database is accessed
  • SVN token alerts when repository is checked out
  • Unique email address alerts when an email is sent to a unique address

Let’s do some small test. Go to https://canarytokens.org and create word document. Provide email address on which we are going to receive an notification about intruder and download the file somewhere in shared location. It might any hot spot for an intruder like root of FTP or SMB server, database or even cloud account or shared location.

Now, try get the file and open. Nothing happened? Check the email we provided:

Here we go, we can see an new alert which contains source IP address and some user specific information. Let’s manage the token:

Open a history. Here, there is much more information about the intruder: a location where he is, additional tracking information like request header, OS, OS version and so on.

Canarytoken is a wonderful way to track an intruder presence and a method of active defence you personal information or workloads from been compromised. The token can help you detect malicious attempts to interact with our data, infrastructure and applications. Since legitimate users should not be interacting with these honeypot resources, any activity associated with them is suspect, offering an intrusion detection and threat research method with a relatively low rate of false positives.

Be an ethical,

take care of your privacy!

subscribe to newsletter

and receive weekly update from our blog

By submitting your information, you're giving us permission to email you. You may unsubscribe at any time.

Leave a Comment

Discover more from #cybertechtalk

Subscribe now to keep reading and get access to the full archive.

Continue reading