diff --git a/.gitignore b/.gitignore index 8d3f70a..3ae88b5 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ .DS_Store node_modules docs/.vuepress/dist/ +.nvmrc \ No newline at end of file diff --git a/docs/.vuepress/images/canarytokens_generate_page.png b/docs/.vuepress/images/canarytokens_generate_page.png index 8b12ed6..c085a5c 100644 Binary files a/docs/.vuepress/images/canarytokens_generate_page.png and b/docs/.vuepress/images/canarytokens_generate_page.png differ diff --git a/docs/.vuepress/images/cloned_web_token_created.png b/docs/.vuepress/images/cloned_web_token_created.png index 35fa5b0..18f5ee6 100644 Binary files a/docs/.vuepress/images/cloned_web_token_created.png and b/docs/.vuepress/images/cloned_web_token_created.png differ diff --git a/docs/.vuepress/images/cloned_web_token_creating.png b/docs/.vuepress/images/cloned_web_token_creating.png index 22cd183..520b004 100644 Binary files a/docs/.vuepress/images/cloned_web_token_creating.png and b/docs/.vuepress/images/cloned_web_token_creating.png differ diff --git a/docs/.vuepress/images/dns_token_created.png b/docs/.vuepress/images/dns_token_created.png index f74010c..b4533d2 100644 Binary files a/docs/.vuepress/images/dns_token_created.png and b/docs/.vuepress/images/dns_token_created.png differ diff --git a/docs/.vuepress/images/dns_token_creating.png b/docs/.vuepress/images/dns_token_creating.png index 23f01e2..04ca06a 100644 Binary files a/docs/.vuepress/images/dns_token_creating.png and b/docs/.vuepress/images/dns_token_creating.png differ diff --git a/docs/.vuepress/images/generic_dns_data.png b/docs/.vuepress/images/generic_dns_data.png index ff1e705..dccff48 100644 Binary files a/docs/.vuepress/images/generic_dns_data.png and b/docs/.vuepress/images/generic_dns_data.png differ diff --git a/docs/.vuepress/images/http_token_created.png b/docs/.vuepress/images/http_token_created.png index c2bdc42..ce4a360 100644 Binary files a/docs/.vuepress/images/http_token_created.png and b/docs/.vuepress/images/http_token_created.png differ diff --git a/docs/.vuepress/images/http_token_creating.png b/docs/.vuepress/images/http_token_creating.png index f379b7e..e361c76 100644 Binary files a/docs/.vuepress/images/http_token_creating.png and b/docs/.vuepress/images/http_token_creating.png differ diff --git a/docs/.vuepress/images/kubeconfig_token_created.png b/docs/.vuepress/images/kubeconfig_token_created.png index 301aa7b..f20b933 100644 Binary files a/docs/.vuepress/images/kubeconfig_token_created.png and b/docs/.vuepress/images/kubeconfig_token_created.png differ diff --git a/docs/.vuepress/images/kubeconfig_token_creating.png b/docs/.vuepress/images/kubeconfig_token_creating.png index 3aaace0..4bbcc3d 100644 Binary files a/docs/.vuepress/images/kubeconfig_token_creating.png and b/docs/.vuepress/images/kubeconfig_token_creating.png differ diff --git a/docs/guide/README.md b/docs/guide/README.md index ef04719..947b50b 100644 --- a/docs/guide/README.md +++ b/docs/guide/README.md @@ -6,12 +6,12 @@ prev: false ## What are Canarytokens -You'll be familiar with web bugs, the transparent images which track when someone opens an email. They work by embedding a unique URL in a page's image tag, and monitoring incoming GET requests. +Canarytokens are like motion sensors for your networks, computers and clouds. You can put them in folders, on network devices and on your phones. -Imagine doing that, but for file reads, database queries, process executions or patterns in log files. Canarytokens does all this and more, letting you implant traps in your production systems rather than setting up separate honeypots. +Place them where nobody should be poking around and get a clear alarm if they are accessed. They are designed to look juicy to attackers to increase the likelihood that they are opened (and they are completely free). ## Why should you use them -Network breaches happen. From mega-corps, to governments. From unsuspecting grandmas to well-known security pros. This is (kinda) excusable. What isn't excusable, is only finding out about it, months or years later. +Our Canarytokens are easy to sprinkle all over and forget about, until you get the notification that matters. They are super lightweight and don’t require installing software or running more background processes that can slow down your PC. -Canarytokens are a free, quick, painless way to help defenders discover they've been breached (by having attackers announce themselves.) +Canarytokens are a distilled version of our much-loved [Canary product](https://canary.tools/). They are dead simple, and they work. diff --git a/docs/guide/adobe-pdf-token.md b/docs/guide/adobe-pdf-token.md index fb6a802..cf6349b 100644 --- a/docs/guide/adobe-pdf-token.md +++ b/docs/guide/adobe-pdf-token.md @@ -1,7 +1,7 @@ -# Adobe PDF Token +# Adobe PDF Canarytoken -## What is an Adobe PDF token +## What is an Adobe PDF Canarytoken -This Canarytoken is a PDF document that will notify you when it has been opened (by reasonably compliant PDF readers). The token works by forcing the PDF reader to do a DNS lookup on a unique address (so we can safely tie the resolution to the opening of the Document). +This Canarytoken is a PDF document that will notify you when it has been opened (by reasonably compliant PDF readers). The Canarytoken works by forcing the PDF reader to do a DNS lookup on a unique address (so we can safely tie the resolution to the opening of the Document). ->**Note**: DNS tokens are great to get a beacon out from a heavily filtered network, but lack the granularity of some other tokens. In this case, the best you can hope for is to be aware that the document was opened, and have a rough idea of the source. +>**Note**: DNS Canarytokens are great to get a beacon out from a heavily filtered network, but lack the granularity of some other Canarytokens. In this case, the best you can hope for is to be aware that the document was opened, and have a rough idea of the source. diff --git a/docs/guide/aws-keys-token.md b/docs/guide/aws-keys-token.md index c2deda8..84a522b 100644 --- a/docs/guide/aws-keys-token.md +++ b/docs/guide/aws-keys-token.md @@ -1,14 +1,14 @@ -# AWS API Keys Token +# AWS API Keys Canarytoken -## What is an AWS API Keys Token +## What is an AWS API Keys Canarytoken -This token provides you with a set of AWS API keys. Leave them in private code repositories, leave them on a developers machine. An attacker who stumbles on them will believe they are the keys to your cloud infrastructure. If they are used via the AWS API at any point, you will be alerted. +This Canarytoken provides you with a set of AWS API keys. Leave them in private code repositories, leave them on a developers machine. An attacker who stumbles on them will believe they are the keys to your cloud infrastructure. If they are used via the AWS API at any point, you will be alerted. -## Creating the token +## Creating the Canarytoken -Create a token by choosing "AWS API Key" from the drop down list. +Create a Canarytoken by choosing "AWS Keys" from the Canarytokens list. -Leave a reasonable comment to remind yourself where you will deploy the token. +Leave a reasonable comment to remind yourself where you will deploy the Canarytoken. The AWS credentials that are displayed can be copied into a file named credentials or keys (as per AWS custom). The two provided keys must be kept together for an attacker to use the AWS API. diff --git a/docs/guide/cloned-web-token.md b/docs/guide/cloned-web-token.md index e7567f6..603c083 100644 --- a/docs/guide/cloned-web-token.md +++ b/docs/guide/cloned-web-token.md @@ -1,14 +1,14 @@ -# Cloned Website Token +# Cloned Website Canarytoken -## What is a Cloned Website Token +## What is a Cloned Website Canarytoken This Canarytoken is placed within the JavaScript of your websites and notifies you if someone clones your site and hosts it on another domain. (This is often used for targeted Phishing attacks.) -## Creating a Cloned Website token +## Creating a Cloned Website Canarytoken -Create a token by choosing "Cloned Website" from the drop down list. +Create a Canarytoken by choosing "JS Cloned Website" from the Canarytokens list. -Leave a reasonable comment to remind yourself where you will deploy the token. Then, supply the domain that you want to protect (this is the domain where the site is deployed that you will insert your tokenized javascript into). +Leave a reasonable comment to remind yourself where you will deploy the Canarytoken. Then, supply the domain that you want to protect (this is the domain where the site is deployed that you will insert your tokenized javascript into). You'll get javascript similar to: diff --git a/docs/guide/css-cloned-site-token.md b/docs/guide/css-cloned-site-token.md index 2b7f8ef..9358307 100644 --- a/docs/guide/css-cloned-site-token.md +++ b/docs/guide/css-cloned-site-token.md @@ -1,14 +1,14 @@ -# CSS Cloned Website Token +# CSS Cloned Website Canarytoken -## What is a CSS Cloned Website Token +## What is a CSS Cloned Website Canarytoken This Canarytoken is placed within either the CSS of your site, or inside a 3rd party site, where you may not be able to add JavaScript and notifies you if someone clones your site and hosts it on another domain. This can alert on targeted or Adversary-in-the-Middle (AitM) phishing attacks. -## Creating a CSS Cloned Website Token +## Creating a CSS Cloned Website Canarytoken -Create a token by choosing "CSS Cloned Website" from the dropdown list. +Create a Canarytoken by choosing "CSS Cloned Website" from the Canarytokens list. -Leave a reasonable comment to remind yourself where you will deploy the token. Then, supply the domain that you want to protect (this is the domain where the site is deployed that you will insert your tokenized css into). +Leave a reasonable comment to remind yourself where you will deploy the Canarytoken. Then, supply the domain that you want to protect (this is the domain where the site is deployed that you will insert your tokenized css into). You'll get a CSS Snippet similar to: @@ -18,9 +18,9 @@ body { } ``` -Upon a client making the request, our CloudFront infrastructure will validate the HTTP Referer header to ensure it is expected. You get an alert if the domain doesn't match the expected domain used during the creation of the token. +Upon a client making the request, our CloudFront infrastructure will validate the HTTP Referer header to ensure it is expected. You get an alert if the domain doesn't match the expected domain used during the creation of the Canarytoken. Ideas for use: - - Only the `url()` portion is required, you can change the selector and add `opacity: 0` or `display: hidden` if you want to style an invisible element. + - Only the `url()` portion is required, you can change the selector and add `opacity: 0` or `display: hidden` if you want to style an invisible element. - Use this CSS to style 3rd party authentication pages, such as a [LogTo](https://logto.io) page, or an [AWS Cognito login](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-ui-customization.html) diff --git a/docs/guide/custom-exe-token.md b/docs/guide/custom-exe-token.md index bacd52f..6ff11f7 100644 --- a/docs/guide/custom-exe-token.md +++ b/docs/guide/custom-exe-token.md @@ -1,17 +1,17 @@ -# Custom EXE Token +# Custom EXE Canarytoken -## What is a Custom EXE Token +## What is a Custom EXE Canarytoken -This token works by signing an EXE or a DLL with a certificate containing a Canarytoken. When the EXE is run, or the DLL is loaded, an alert is fired. +This Canarytoken works by signing an EXE or a DLL with a certificate containing a Canarytoken. When the EXE is run, or the DLL is loaded, an alert is fired. -## Creating the token +## Creating the Canarytoken -Create a token by choosing "Custom exe" from the drop down list. +Create a Canarytoken by choosing "Custom exe / binary" from the Canarytokens list. -Leave a reasonable comment to remind yourself where you will deploy the token. Then, select the EXE or the DLL to be signed. +Leave a reasonable comment to remind yourself where you will deploy the Canarytoken. Then, select the EXE or the DLL to be signed. -The file can now be downloaded. Remember, this token is triggered whenever the binary file is executed. For EXEs, this means direct execution and for DLLs, it means they were loaded. +The file can now be downloaded. Remember, this Canarytoken is triggered whenever the binary file is executed. For EXEs, this means direct execution and for DLLs, it means they were loaded. ## What to tokenize -When choosing which files to token, decide on a few binaries commonly used by attackers, and token these. +When choosing which files to Canarytoken, decide on a few binaries commonly used by attackers, and Canarytoken these. diff --git a/docs/guide/dns-token.md b/docs/guide/dns-token.md index da58a58..67dd386 100644 --- a/docs/guide/dns-token.md +++ b/docs/guide/dns-token.md @@ -1,33 +1,33 @@ -# DNS Token +# DNS Canarytoken -## What is a DNS token +## What is a DNS Canarytoken When you create a DNS based Canarytoken, the system gives you a unique Internet resolvable domain name. Anyone attempting to resolve this domain name, will now trigger an alert. -Why does this matter? Once you are able to get an alert for a web-based token, or a DNS based token, you have the building blocks for squillions of possible tripwires. +Why does this matter? Once you are able to get an alert for a web-based Canarytoken, or a DNS based Canarytoken, you have the building blocks for squillions of possible tripwires. -## Creating a DNS token +## Creating a DNS Canarytoken -Head on over to [canarytokens.org](https://canarytokens.org/generate) and select `DNS token`: +Head on over to [canarytokens.org](https://canarytokens.org/generate) and select `DNS`: -![Creating a DNS token](../.vuepress/images/dns_token_creating.png) +![Creating a DNS Canarytoken](../.vuepress/images/dns_token_creating.png) Enter your email address along with a reminder that will be easy to understand then click Create: -![Created an HTTP token](../.vuepress/images/dns_token_created.png) +![Created an HTTP Canarytoken](../.vuepress/images/dns_token_created.png) Copy the hostname and place it somewhere useful. -## Encoding additional information in your token +## Encoding additional information in your Canarytoken -Your DNS token can carry a small amount of additional custom data when it’s triggered. This can be used for adding incident-specific data to your alert with custom DNS based tokens. Use the following encoding rules to place generic data into your DNS token: +Your DNS Canarytoken can carry a small amount of additional custom data when it’s triggered. This can be used for adding incident-specific data to your alert with custom DNS based Canarytokens. Use the following encoding rules to place generic data into your DNS Canarytoken: * Base32 encode your data, and remove any padding '=' characters * Insert periods (.) after every 63-bytes * Append the magic string '.G'+<2-random-digits>+'.' (e.g. '.G12.' or '.G83.') - * Append your DNS token + * Append your DNS Canarytoken This creates a new hostname of the form: ``` ..G<2-random-digits>. diff --git a/docs/guide/fast-redirect-token.md b/docs/guide/fast-redirect-token.md index 5ae0746..481392d 100644 --- a/docs/guide/fast-redirect-token.md +++ b/docs/guide/fast-redirect-token.md @@ -1,11 +1,11 @@ -# Fast Redirect Token +# Fast Redirect Canarytoken -## What is a Fast Redirect Token +## What is a Fast Redirect Canarytoken -This token is similar to the HTTP token but the token redirects to a custom address once triggered. The difference between the regular HTTP token and the Fast Redirect is that this token does not collect browser nor browser plugin information. For a redirect that does, see the Slow Redirect token in the next section. +This Canarytoken is similar to the HTTP Canarytoken but the Canarytoken redirects to a custom address once triggered. The difference between the regular HTTP Canarytoken and the Fast Redirect is that this Canarytoken does not collect browser nor browser plugin information. For a redirect that does, see the Slow Redirect Canarytoken in the next section. ## Creating the token -Create a token by choosing "Fast Redirect" from the drop down list. +Create a Canarytoken by choosing "Fast Redirect" from the Canarytokens list. -Leave a reasonable comment to remind yourself where you will deploy the token. Add the redirect URL to which the token will redirect once fired. Then click "Create New Canarytoken" to create the token. +Leave a reasonable comment to remind yourself where you will deploy the Canarytoken. Add the redirect URL to which the Canarytoken will redirect once fired. Then click "Create New Canarytoken" to create the Canarytoken. diff --git a/docs/guide/getting-started.md b/docs/guide/getting-started.md index 41fc71f..3d51071 100644 --- a/docs/guide/getting-started.md +++ b/docs/guide/getting-started.md @@ -4,15 +4,15 @@ Go to [canarytokens.org](https://canarytokens.org/generate) and select your Canarytoken (supply an email to be notified at as well as a memo that reminds you which Canarytoken this is and where you put it). -![Created an HTTP token](../.vuepress/images/http_token_creating.png) +![Created an HTTP Canarytoken](../.vuepress/images/http_token_creating.png) Place the generated Canarytoken somewhere special (read the [examples](./examples.md) for ideas on where). If an attacker ever trips on the Canarytoken somehow, you'll get an email letting you know that it has happened. -## How do attackers trip over a token +## How do attackers trip over a Canarytoken -Recall that a typical token is a unique URL and/or hostname. The URL component is pretty flexible. This means that if your token is: +Recall that a typical Canarytoken is a unique URL and/or hostname. The URL component is pretty flexible. This means that if your Canarytoken is: ```bash http://45e51129ec7e.o3n.io/images/o63277vnjf6nfobn3cbey69fh/spacer.gif @@ -27,25 +27,25 @@ http://45e51129ec7e.o3n.io/images/o63277vnjf6nfobn3cbey69fh/passwords.zip http://45e51129ec7e.o3n.io/images/o63277vnjf6nfobn3cbey69fh/anything-really ``` -would still activate your token. This gives us the simplest use-case for a token, an old fashioned web-bug. +would still activate your Canarytoken. This gives us the simplest use-case for a Canarytoken, an old fashioned web-bug. -For example, you could send yourself an email with a link to the token plus some lure text: +For example, you could send yourself an email with a link to the Canarytoken plus some lure text: ![Tokened mail](../.vuepress/images/tokened_mail.png) Simply keep it in your inbox unread since you know not to touch it. An attacker who has grabbed your mail-spool doesn't. So if your emails are stolen, then an attacker reading them should be attracted to the mail and visit the link – and while your week is about to get worse, at least you know. -If you like, you could even use the same token as an embedded image. This way it works like the classic 1x1 transparent GIF. Now an attacker reading your inbox could trip over it just because his mail client renders remote images. (In this way you can use free Canarytokens as a classic web/mail-bug, to receive a notification when an email you send has been read.) +If you like, you could even use the same Canarytoken as an embedded image. This way it works like the classic 1x1 transparent GIF. Now an attacker reading your inbox could trip over it just because his mail client renders remote images. (In this way you can use free Canarytokens as a classic web/mail-bug, to receive a notification when an email you send has been read.) ## What memo should I use -Over time, if you are using Canarytokens correctly, you will deploy thousands of them all over the place. Make sure that your Reminder is descriptive, and will be self-describing. Nothing sucks more than having a token fire an alert that reads “test" - and not knowing where you placed it. +Over time, if you are using Canarytokens correctly, you will deploy thousands of them all over the place. Make sure that your Reminder is descriptive, and will be self-describing. Nothing sucks more than having a Canarytoken fire an alert that reads “test" - and not knowing where you placed it. ## Production Usage Canarytokens can be used as simple web-bugs, but they are incredibly flexible as we'll see. -You may have a fancy SIEM that lets you know when stuff happens, but you'll find that with a little creativity, there's a bunch of places that you could get wins from a token (that can be deployed in seconds) that you couldn't easily get to otherwise. +You may have a fancy SIEM that lets you know when stuff happens, but you'll find that with a little creativity, there's a bunch of places that you could get wins from a Canarytoken (that can be deployed in seconds) that you couldn't easily get to otherwise. -Do you trust the admins/support at DropBox to leave your files alone? (or Office365? or HipChat?) Simply generate a token and drop it in your folder, or mention it in your HipChat channel. If some admin is browsing contents in their spare time (or is being coerced to do so by a 3rd party) they will trip over your URL and you'll be notified. +Do you trust the admins/support at Dropbox to leave your files alone? (or Office365?) Simply generate a Canarytoken and drop it in your folder, or mention it in your HipChat channel. If some admin is browsing contents in their spare time (or is being coerced to do so by a 3rd party) they will trip over your URL and you'll be notified. diff --git a/docs/guide/http-token.md b/docs/guide/http-token.md index b31dfdb..46d2e11 100644 --- a/docs/guide/http-token.md +++ b/docs/guide/http-token.md @@ -1,16 +1,16 @@ -# HTTP Token +# HTTP Canarytoken -## What is an HTTP token +## What is an HTTP Canarytoken When you create a HTTP based Canarytoken, the system gives you a URL. Anyone attempting to browse to this URL will generate an alert. -Why does this matter? Once you are able to get an alert for a web-based token, or a DNS based token, you have the building blocks for squillions of possible tripwires. +Why does this matter? Once you are able to get an alert for a web-based Canarytoken, or a DNS based Canarytoken, you have the building blocks for squillions of possible tripwires. -## Creating an HTTP token +## Creating an HTTP Canarytoken -Head on over to [canarytokens.org](https://canarytokens.org/generate) and select `Web bug /URL token`: +Head on over to [canarytokens.org](https://canarytokens.org/generate) and select `Web bug`: ![Creating an HTTP token](../.vuepress/images/http_token_creating.png) diff --git a/docs/guide/kubeconfig-token.md b/docs/guide/kubeconfig-token.md index 9a69876..6dd53da 100644 --- a/docs/guide/kubeconfig-token.md +++ b/docs/guide/kubeconfig-token.md @@ -10,7 +10,7 @@ Using the Kubeconfig Canarytoken will simply return permission errors to an atta ## Creating a Kubeconfig token -Head on over to [canarytokens.org](https://canarytokens.org/generate) and select Kubeconfig token. +Head on over to [canarytokens.org](https://canarytokens.org/generate) and select `Kubeconfig`. Enter the email address or webhook where you would like to get alerts. Next, enter a reminder note that will be convenient for you to identify where you placed the Kubeconfig, when you get alerted. diff --git a/docs/guide/ms-excel-token.md b/docs/guide/ms-excel-token.md index 8f3bcf2..0b8a111 100644 --- a/docs/guide/ms-excel-token.md +++ b/docs/guide/ms-excel-token.md @@ -1,9 +1,9 @@ -# MS Excel Token +# MS Excel Canarytoken A special thanks to [Dominic White](https://twitter.com/singe) for making this happen. -## What is a MS Excel Token +## What is a MS Excel Canarytoken -This is a Microsoft Excel document that will alert you whenever it is opened in Microsoft Office on Windows or MAC OS. +This is a Microsoft Excel document that will alert you whenever it is opened in Microsoft Office on Windows or macOS. This is useful for dropping into shares that shouldn't be accessed. Create a juicy filename (employee_salaries.xlsx, passwords.xlsx), leave it lying around on a network share, on a web server, in an email, and wait for the alert to tell you there's someone snooping around. diff --git a/docs/guide/ms-word-token.md b/docs/guide/ms-word-token.md index c159cae..43742b8 100644 --- a/docs/guide/ms-word-token.md +++ b/docs/guide/ms-word-token.md @@ -1,7 +1,7 @@ -# MS Word Token +# MS Word Canarytoken -## What is a MS Word Token +## What is a MS Word Canarytoken -This is a Microsoft Word document that will alert you whenever it is opened in Microsoft Office on Windows or MAC OS. +This is a Microsoft Word document that will alert you whenever it is opened in Microsoft Office on Windows or macOS. This is useful for dropping into shares that shouldn't be accessed. Create a juicy filename (employee_salaries.docx, passwords.docx), leave it lying around on a network share, on a web server, in an email, and wait for the alert to tell you there's someone snooping around. diff --git a/docs/guide/mysql-dump-token.md b/docs/guide/mysql-dump-token.md index b227e4b..f896183 100644 --- a/docs/guide/mysql-dump-token.md +++ b/docs/guide/mysql-dump-token.md @@ -1,18 +1,18 @@ -# MySQL Dump Token +# MySQL Dump Canarytoken -## What is a MySQL Database Dump Token +## What is a MySQL Database Dump Canarytoken -This token is a sequence of SQL commands that trigger upon being imported or otherwise executed on a MySQL server. These commands can be optionally obfuscated and/or embedded into a fake SQL dump file with synthetic data. +This Canarytoken is a sequence of SQL commands that trigger upon being imported or otherwise executed on a MySQL server. These commands can be optionally obfuscated and/or embedded into a fake SQL dump file with synthetic data. -## Creating the token +## Creating the Canarytoken -Create a token by choosing "MySQL Dump" from the drop down list. +Create a Canarytoken by choosing "MySQL" from the Canarytokens list. -Enter your email address or webhook to send alerts to and leave a reasonable comment to remind yourself where you will deploy the token. +Enter your email address or webhook to send alerts to and leave a reasonable comment to remind yourself where you will deploy the Canarytoken. You can either copy the generated SQL (encoded or not) into an existing MySQL dump file, or download a randomly-generated one with these commands already embedded. -Leave this token file somewhere with other backups and if an attacker comes across it and imports it to see what it contains you'll be alerted! +Leave this Canarytoken file somewhere with other backups and if an attacker comes across it and imports it to see what it contains you'll be alerted! diff --git a/docs/guide/qr-code-token.md b/docs/guide/qr-code-token.md index d96c286..b9f7344 100644 --- a/docs/guide/qr-code-token.md +++ b/docs/guide/qr-code-token.md @@ -1,14 +1,14 @@ -# QR Code Token +# QR Code Canarytoken -## What is a QR Code Token +## What is a QR Code Canarytoken -This token works by encoding a URL as a QR code. When the QR code is scanned and the URL is loaded, the token sends an alert. +This Canarytoken works by encoding a URL as a QR code. When the QR code is scanned and the URL is loaded, the Canarytoken sends an alert. -## Creating the token +## Creating the Canarytoken -Create a token by choosing "QR Code" from the drop down list. +Create a Canarytoken by choosing "QR Code" from the Canarytokens list. -Leave a reasonable comment to remind yourself where you will deploy the token. +Leave a reasonable comment to remind yourself where you will deploy the Canarytoken. The QR image can be downloaded and placed wherever you like. diff --git a/docs/guide/sensitive-cmd-token.md b/docs/guide/sensitive-cmd-token.md index 54cc9b8..93607f0 100644 --- a/docs/guide/sensitive-cmd-token.md +++ b/docs/guide/sensitive-cmd-token.md @@ -1,17 +1,17 @@ -# Sensitive Command Token +# Sensitive Command Canarytoken -## What is a Sensitive Command token +## What is a Sensitive Command Canarytoken Have you ever wanted a quick alert if an unexpected Windows process runs on a host? This simple Canarytoken allows you to set up a quick alert when you want to know any time a specific command is executed. -This token creates a registry key and sends an alert to you in near real-time that the command of interest had been executed. +This Canarytoken creates a registry key and sends an alert to you in near real-time that the command of interest had been executed. -## Creating a Sensitive Command token +## Creating a Sensitive Command Canarytoken -Head on over to [canarytokens.org](https://canarytokens.org/generate) and select `Sensitive command token`: +Head on over to [canarytokens.org](https://canarytokens.org/generate) and select `Sensitive command`: image @@ -22,7 +22,7 @@ then click Create: image -Download the .reg file to a Windows system. +Download the .reg file to a Windows system. image @@ -34,7 +34,7 @@ reg import /reg:64 reg import /reg:32 ``` -## How to use this token +## How to use this Canarytoken Once installed (with admin permissions) you'll get an alert whenever someone (or someone's code) runs your sensitive process. It will automatically provide the command used, computer the command ran on, and the user invoking the command. diff --git a/docs/guide/slow-redirect-token.md b/docs/guide/slow-redirect-token.md index 76f459c..6e38fe0 100644 --- a/docs/guide/slow-redirect-token.md +++ b/docs/guide/slow-redirect-token.md @@ -1,11 +1,11 @@ -# Slow Redirect Token +# Slow Redirect Canarytoken -## What is a Slow Redirect Token +## What is a Slow Redirect Canarytoken -This token is similar to the HTTP token but the token redirects to a custom address once triggered. The difference between the regular Fast Redirect token and this is that this token runs a browser scanner that collects browser/plugin information. +This Canarytoken is similar to the HTTP Canarytoken but the Canarytoken redirects to a custom address once triggered. The difference between the regular Fast Redirect Canarytoken and this is that this Canarytoken runs a browser scanner that collects browser/plugin information. ## Creating the token -Create a token by choosing "Slow Redirect" from the drop down list. +Create a token by choosing "Slow Redirect" from the Canarytokens list. -Leave a reasonable comment to remind yourself where you will deploy the token. Add the redirect URL to which the token will redirect once fired. Then click "Create New Canarytoken" to create the token. +Leave a reasonable comment to remind yourself where you will deploy the Canarytoken. Add the redirect URL to which the Canarytoken will redirect once fired. Then click "Create New Canarytoken" to create the Canarytoken. diff --git a/docs/guide/sql-server-token.md b/docs/guide/sql-server-token.md index ad1d23c..cdd3eb2 100644 --- a/docs/guide/sql-server-token.md +++ b/docs/guide/sql-server-token.md @@ -1,14 +1,14 @@ -# SQL Server Token +# SQL Server Canarytoken -## What is a SQL Server Token +## What is a SQL Server Canarytoken -This token alerts whenever an UPDATE/SELECT/DELETE or INSERT is performed on a specified SQL Server table. +This Canarytoken alerts whenever an UPDATE/SELECT/DELETE or INSERT is performed on a specified SQL Server table. -## Creating the token +## Creating the Canarytoken -Create a token by choosing "SQL Server" from the drop down list. +Create a Canarytoken by choosing "SQL Server" from the Canarytokens list. -Leave a reasonable comment to remind yourself where you will deploy the token. +Leave a reasonable comment to remind yourself where you will deploy the Canarytoken. Download the SQL script and run it against the SQL Server database of your choice. diff --git a/docs/guide/svn-token.md b/docs/guide/svn-token.md index 5613171..6dd713a 100644 --- a/docs/guide/svn-token.md +++ b/docs/guide/svn-token.md @@ -1,23 +1,23 @@ -# SVN Token +# SVN Canarytoken -## What is an SVN Token +## What is an SVN Canarytoken -This token alerts whenever anyone attempts to clone an SVN repository. +This Canarytoken alerts whenever anyone attempts to clone an SVN repository. -## Creating the token +## Creating the Canarytoken -Create a token by choosing "SVN" from the drop down list. +Create a Canarytoken by choosing "SVN" from the Canarytokens list. -Leave a reasonable comment to remind yourself where you will deploy the token. +Leave a reasonable comment to remind yourself where you will deploy the Canarytoken. -Run the command to token a repository of your choosing. Don't forget to +Run the command to Canarytoken a repository of your choosing. Don't forget to ```bash svn commit ``` -after you've added the token. +after you've added the Canarytoken. ## What to tokenize -A few ideas for use include: token a dummy SVN repo to detect when attackers are enumerating repos; or an old repo which shouldn't be touched any longer. +A few ideas for use include: Canarytoken a dummy SVN repo to detect when attackers are enumerating repos; or an old repo which shouldn't be touched any longer. diff --git a/docs/guide/web-image-token.md b/docs/guide/web-image-token.md index 1820e89..a018cf9 100644 --- a/docs/guide/web-image-token.md +++ b/docs/guide/web-image-token.md @@ -1,18 +1,18 @@ -# Web Image Token +# Web Image Canarytoken -## What is a Web Image Token +## What is a Web Image Canarytoken -This token works much like the default HTTP token, but allows you to bind the token to an image of your choosing. i.e. upload an image to your server. The server will serve this image to people, and will notify you when it does. +This Canarytoken works much like the default HTTP Canarytoken, but allows you to bind the Canarytoken to an image of your choosing. i.e. upload an image to your server. The server will serve this image to people, and will notify you when it does. -## Creating the token +## Creating the Canarytoken -Create a token by choosing "Custom Image Web bug" from the drop down list. +Create a Canarytoken by choosing "Web Image" from the Canarytokens list. -Leave a reasonable comment to remind yourself where you will deploy the token. +Leave a reasonable comment to remind yourself where you will deploy the Canarytoken. -This token is now a valid link to the image you uploaded. +This Canarytoken is now a valid link to the image you uploaded. -## How to use this token +## How to use this Canarytoken A trick is to embed this image in an admin page for example. An attacker accessing the page will also load the image, sending you your notification that the page has been accessed. diff --git a/docs/guide/windows-directory-token.md b/docs/guide/windows-directory-token.md index dd7cc93..4ec07c6 100644 --- a/docs/guide/windows-directory-token.md +++ b/docs/guide/windows-directory-token.md @@ -1,19 +1,19 @@ -# Windows Directory Token +# Windows Directory Canarytoken -## What is a Windows Directory Token +## What is a Windows Directory Canarytoken -This token allows you to get a notification when someone browses to a “token’d" directory on a Windows server or machine. +This Canarytoken allows you to get a notification when someone browses to a “Canarytoken’d" directory on a Windows server or machine. -## Creating the token +## Creating the Canarytoken -Create a token, by choosing “Windows Directory Browsing" from the drop down list. +Create a Canarytoken, by choosing “Windows Directory Browsing" from the Canarytokens list. -Leave a reasonable comment to remind you where you will deploy the token and then download the generated file. +Leave a reasonable comment to remind you where you will deploy the Canarytoken and then download the generated file. This offers you a download of a desktop.ini file (inside of a zip file). Simply create a folder on a Windows machine of your choice, and place the desktop.ini file in it. If an attacker browses that directory, you will get your console alert. -(WinZIP and WinRAR both maintain directory structures and honour desktop.ini – you can download a Zip file with the desktop.ini already packaged after you generate your token, and you'll get notified if someone opens (expands) the Zip file.) +(WinZIP and WinRAR both maintain directory structures and honour desktop.ini – you can download a Zip file with the desktop.ini already packaged after you generate your Canarytoken, and you'll get notified if someone opens (expands) the Zip file.) ## How this works -Dropping a desktop.ini file in a folder allows Explorer to set a custom icon for a file. Since this icon can reside on a remote server (via a UNC path), using DNS we can effectively make use of a token as our icon file. +Dropping a desktop.ini file in a folder allows Explorer to set a custom icon for a file. Since this icon can reside on a remote server (via a UNC path), using DNS we can effectively make use of a Canarytoken as our icon file. diff --git a/docs/guide/wireguard-token.md b/docs/guide/wireguard-token.md index e6410ac..b6013c7 100644 --- a/docs/guide/wireguard-token.md +++ b/docs/guide/wireguard-token.md @@ -1,6 +1,6 @@ -# WireGuard Token +# WireGuard Canarytoken -## What is a WireGuard token? +## What is a WireGuard Canarytoken? The WireGuard Canarytoken allows you to add a “fake” WireGuard VPN endpoint on your device in seconds. If your device is compromised, a knowledgeable attacker is likely to enumerate VPN