Canarytokens

Your Web token is active!

Copy this URL to your clipboard and use as you wish:

↻

Remember, it gets triggered whenever someone requests the URL.

If the URL is requested as an image (e.g. <img src="">) then a 1x1 image is served. If the URL is surfed in a browser then a blank page is served with fingerprinting Javascript.

Ideas for use:

In an email with a juicy subject line.
Embedded in documents.
Inserted into canary webpages that are only found through brute-force.
This URL is just an example. Apart from the hostname and the actual token (the random string), you can change all other parts of the URL.

Your Fast Redirect token is active!

Copy this URL to your clipboard and use as you wish:

↻

The token is similar to the Web token, however, when the link is loaded the view will be immediately redirected to the specified redirect URL.

Ideas for use:

Replace links with these to capture user information before user is redirected to where they want to go.
Embedded in documents.
Inserted into canary webpages that are only found through brute-force.
This URL is just an example. Apart from the hostname and the actual token (the random string), you can change all other parts of the URL.

Your Slow Redirect token is active!

Copy this URL to your clipboard and use as you wish:

↻

The token is similar to the Fast Redirect token, however, when the link is loaded the user's browser / browser plugin information is captured.

Ideas for use:

Replace links with these to capture user information before user is redirected to where they want to go.
Embedded in documents.
Inserted into canary webpages that are only found through brute-force.
This URL is just an example. Apart from the hostname and the actual token (the random string), you can change all other parts of the URL.

Your DNS token is active!

Copy this hostname to your clipboard and use as you wish:

Remember, it gets triggered whenever someone performs a DNS lookup of the hostname.

The source IP address shown in the alert is the DNS server, not the end user.

Ideas for use:

Include in a PTR entry for dark IP space of your internal network. Quick way to determine if someone is walking your internal DNS without configuring DNS logging and monitoring.
Leave in a .bash_history, or .ssh/config, or ~/servers.txt
Use as a extremely simple bridge between a detection and notification action. Many possibilities, here's one that tails a logfile and triggers the token when someone logs in:
```
tail -f /var/log/auth.log | awk '/Accepted publickey for/ { system("host k5198sfh3cw64rhdpm29oo4ga.canarytokens.com") }'
```
Use as the domain part of an email address.

Your Email address token is active!

Here is a unique email address:

Remember, it gets triggered whenever someone sends an email to the address.

Ideas for use:

In a database with a USERS table, drop a fake record in there with this email address. If it gets triggered you know someone has accessed your data.

Your MS Word token is active!

Download your MS Word file

You'll get an alert whenever this document is opened in Microsoft Office, on Windows or Mac OS.

You can rename the document without affecting its operation.

Ideas for use:

Drop the file on a Windows network share.
Leave the file on a web server in an inaccessible directory, to detect webserver breaches.
Attach to an email with a tempting Subject line.

Your sensitive process execution token is active!

Download your MS registry file

Once installed (with admin permissions) you'll get an alert whenever someone (or someone's code) runs your sensitive process. It will automatically provide the command used, computer the command ran on, and the user invoking the command.

In order to ensure that the token fires for both 32-bit and 64-bit executables, we suggest installing by running the following commands:

reg import FILENAME /reg:64

reg import FILENAME /reg:32

Ideas for use:

Ideal candidates are executables often used by attackers but seldom used by regular users (e.g., whoami.exe, net.exe, wmic.exe, etc.).
You can use this for attacker tools that are not present on your system (e.g., mimikatz.exe), and if they are ever downloaded and run you'll get an alert!
Use a network management tool to deploy across your organization.

Your credit card token is active!

Name:

Card Number:

Expiration Date:

Security Code:

Download your credit card data

If the card number is ever used in an authorization, the transaction will be declined, but you will be alerted.

Ideas for use:

Stick this in a database that stores payment information and get alerted if it is ever breached.
You can use any name or address in association with the card number and CVC.
Put it in a document with other personal information regarding e.g., travel preferences in case someone snoops around your computer.

Your MS Excel token is active!

Download your MS Excel file

You'll get an alert whenever this document is opened in Microsoft Office, on Windows or Mac OS.

You can rename the document without affecting its operation.

Ideas for use:

Drop the file on a Windows network share.
Leave the file on a web server in an inaccessible directory, to detect webserver breaches.
Attach to an email with a tempting Subject line.

Your PDF token is active!

Download your PDF file

You'll get an alert whenever this document is opened with Acrobat Reader, regardless of the user's security preferences in Reader.

You can rename the document without affecting its operation.

Ideas for use:

Drop the file on a Windows network share.
Leave the file on a web server in an inaccessible directory, to detect webserver breaches.
Attach to an email with a tempting Subject line.

Your Windows Folder token is active!

Download your Zip file

Unzip this file in a folder, and get notified when someone browses the folder in Windows Explorer. It will even trigger if someone is browsing the folder via a network share!

The alert will include the network domain and username of the browsing user, if present.

Ideas for use:

Unzip the file on a juicely named Windows network share.
Unzip the file on your CEO's laptop on a folder on their Desktop.

Your Signed Executable token is active!

Save this file and deploy on Windows machines:

Remember, this token is triggered whenever the binary file is executed. For EXEs, this means direct execution and for DLLs, it means they were loaded.

Ideas for use:

Decide on a few default binaries commonly used by attackers, and token them.

Your Cloned Website token is active!

Use this Javascript to detect when someone has cloned a webpage.

Place this Javascript on the page you wish to protect:

Obfuscate this script
Show Obfuscated JavaScript

When someone clones your site, they’ll grab this JavaScript too. When the script runs on their cloned site, it triggers an alert to let you know what’s going on.

Ideas for use:

Deploy on the login pages of your sensitive sites, such as OWA or tender systems.

Your CSS Cloned Website token is active!

Use this CSS to detect when someone has cloned a webpage. Place this CSS on the page you wish to protect, or import it as custom branding:

When someone clones your site, they'll load the token, which will check whether the referrer domain is expected. If not, it fires the token and you get an alert.

Ideas for use:

Only the url() portion is required, you can change the selector and add display: hidden if you want to style an invisible element.
Put this CSS style inline on an HTML element on a site you aren't allowed to add Javascript to (e.g., Wordpress).

Your Entra ID login token is active!

This token can be deployed automatically or manually. It inserts CSS into your Azure tenant's Entra ID login page to detect when the page has been cloned.

Automatic Flow

You give us access to manage your Entra setup.

OR

Manual Flow

You insert the token manually yourself.

Back

Manual Steps

1

Download the necessary CSS.

2

Navigate to your Entra ID login customisation page.

3

Choose Layout, scroll down to Custom CSS, click Browse and choose the downloaded CSS from the first step.

When someone clones your site, they'll load the token, which will check whether the referrer domain is expected. If not, it fires the token and you get an alert.

Ideas for use:

Save this CSS file and upload it as a custom branding stylesheet for your Azure Entra ID login portal (requires a P1 or P2 subscription).

Your SQL Server token is active!

The next step is to copy the SQL snippet below and run in your SQL Server database.

--create a table-view function to query the canary hostname CREATE function (@RAND FLOAT) returns @output table (col1 varchar(max)) AS BEGIN declare @username varchar(max), @base64 varchar(max), @tokendomain varchar(128), @unc varchar(128), @size int, @done int, @random varchar(3); --setup the variables set @tokendomain = ''; set @size = 128; set @done = 0; set @random = cast(round(@RAND*100,0) as varchar(2)); set @random = concat(@random, '.'); set @username = SUSER_SNAME(); --loop runs until the UNC path is 128 chars or less while @done <= 0 begin --convert username into base64 select @base64 = (SELECT CAST(N'' AS XML).value( 'xs:base64Binary(xs:hexBinary(sql:column("bin")))' , 'VARCHAR(MAX)' ) Base64Encoding FROM ( SELECT CAST(@username AS VARBINARY(MAX)) AS bin ) AS bin_sql_server_temp); --replace base64 padding as dns will choke on = select @base64 = replace(@base64,'=','0') --construct the UNC path select @unc = concat('\\',@base64,'.',@random,@tokendomain,'\a') -- if too big, trim the username and try again if len(@unc) <= @size set @done = 1 else --trim from the front, to keep the username and lose domain details select @username = substring(@username, 2, len(@username)-1) end exec master.dbo.xp_dirtree @unc-- WITH RESULT SETS (([result] varchar(max))); return END --create a view that calls the function alter view as select * from master.dbo.(rand()); --change permissions on to SELECT for [public] --change permissions on to SELECT for [public] --don't allow [public] to view the definitions

When the actions are run, your Canarytoken will be triggered.

Since DNS is used as the underlying transport, the Source IP will be that of a DNS server, not the database server.

Ideas for use:

Deploy a SELECT token with a tempting VIEW name such as USER_DETAILS.

Your MySQL token is active!

There are two ways you can use this token:

1.) Insert it into a MySQL dump of your own:

SET @b = ''; SET @s2 = FROM_BASE64(@b); PREPARE stmt1 FROM @s2; EXECUTE stmt1; PREPARE stmt2 FROM @bb; EXECUTE stmt2; START REPLICA;

OR

2.) Download a (pseudo) random MySQL dump with a token already embedded in it

Download a MySQL Dump file

Encode snippet to make it harder to spot

When the MySQL statements are run, your Canarytoken will be triggered.

Ideas for use:

Attackers who find MySQL dump files will usually throw them into a temporary database to query the data. When a dump file with this snippet is ingested, it will let us know.

Your QR Code token is active!

Use this QR Code to token a physical location or object:

Download

When someone scans the QR Code with a reader, it will trigger the URL tied to your token and fire an alert.

Ideas for use:

On containers left in secure locations.
Underneath your phone battery when crossing international borders.
On your desk.

Your WireGuard VPN Config token is active!

Scan this QR Code with the WireGuard app on your phone or copy the config below.

Don't have the WireGuard app?

Whenever someone tries to use this WireGuard VPN config to see what access it gets them, an alert is triggered.

This WireGuard config can be installed anywhere WireGuard is used, such as on phones, laptops and servers.

Your SVN token is active!

Run this SVN command in a dummy repo:

Remember, it gets triggered whenever someone clones the SVN repo.

Don't forget to run

svn commit

after you've added the token.

The source IP address shown in the alert is the DNS server, not the end user.

Ideas for use:

Token a dummy SVN repo to detect when attackers are enumerating repos.
Token an old repo which shouldn't be touched any longer.

Your AWS key token is active!

Copy this credential pair to your clipboard to use as desired:

Download your AWS Creds

This canarytoken is triggered when someone uses this credential pair to access AWS programmatically (through the API).

The key is unique. i.e. There is no chance of somebody guessing these credentials.

If this token fires, it is a clear indication that this set of keys has "leaked".

Ideas for use:

These credentials are often stored in a file called ~/.aws/credentials on linux/OSX systems. Generate a fake credential pair for your senior developers and sysadmins and keep it on their machines. If someone tries to access AWS with the pair you generated for Bob, chances are that Bob's been compromised.
Place the credentials in private code repositories. If the token is triggered, it means that someone is accessing that repo without permission

Your Azure Service Principal Login is active!

Save this json config file along with the certificate:

Download Azure Certificate

This canarytoken is triggered when someone uses this Service Principal Login to access Azure programmatically (through the API).

The Service Principal Login is unique. i.e. There is no chance of somebody guessing these credentials.

If this token fires, it is a clear indication that this Service Principal Login has "leaked".

Ideas for use:

Most systems have a ~/.azure folder (much like the ~/.aws or ~/.ssh). Create a config file with the config details from the token and place it near the certificate (ensuring that the config value has a path to the certificate).
Place the credentials in private code repositories. If the token is triggered, it means that someone is accessing that repo without permission

Your Kubeconfig Token is active!

Download your tokened Kubeconfig file

You'll get an alert when someone tries to use your Kubeconfig.

Ideas for use:

Place the file at ~/.kube/config on a host, tempting an attacker to use it.
Place the file in private code repositories. If the token is triggered, it means that someone is accessing that repo without permission.

Your log4shell token is active!

The next step is to copy the log4j snippet below and test your systems for the log4shell issue.

If the log line is consumed by a vulnerable log4j library, it will generate an alert on this token.

If this works, you will also obtain the hostname of the vulnerable server.

You can read more on this issue at LunaSec