Published: May 7, 2020
Thinkst offers an awesome open-source beaconing service in Canarytokens.org. It’s a great tool to determine if anyone is opening documents inside or outside of your environment. Place a “bugged” exe along side sensitive or confidential files to determine who may be accessing or exfiltrating similar data.
In this tutorial we’ll compile a basic C program into a 64-bit Windows executable, sign it with canarytokens.org, then run it to trigger an alert. The email alert will contain the IP that queried or connected to the canarytoken url using DNS or HTTP.
The first thing we need to get started is a Windows executable. For ease of testing, you could use a program like putty.exe, but I’m going to compile and run some basic C code so our program is as simple as possible.
On my Linux machine: (Debian)
I make a basic C program and named it userdb.cpp. When compiled and ran in the command line, it prints the string “Thanks for using our file!”
Then use the following commands to compile it as a Windows 64bit executable
sudo apt install mingw-w64 (If you don’t have mingw)
sudo x86_64-w64-mingw32-gcc -o userdb.exe userdb.cpp
This will create our initial exe “userdb.exe” to upload to canarytokens.org.
NOTE! Since we have to execute the file on a Windows machine, I’ll copy the file over to my host VM. You can do this now, or once the final file is created, but in the end, we’ll be executing it on a Windows machine.
Lets browse to canarytokens.org
Select your token -> custom exe / binary
Fill out all the forms, providing an email address, description, and choosing userdb.exe as your file.
Finally, click “Create my Canarytoken”
Your token is active!
Click “Save userdb.exe” to download the canary file
The file gets saved via the browser. My original file was in Downloads, so it added a copy (1)
Now you should open the file and check whether it’s working. Double-click the file and select “Run”
The file executes, hangs a second, then a windows command prompt pops up and quickly disappears. About 10 seconds later, I receive the following email
Now we have a source IP to further investigate. The “Token Reminder” gives us a description of which honeytoken fired, so I recommend being descriptive.
We can click “Manage the Canarytoken here” in the email which brings you to the token dashboard.
We can see our token was triggered twice, lets check it out by clicking “history”
I only opened the exe once, but it recorded two IP addressed. The first IP in the list is my public IP address, but the second IP, I’m not 100% sure about. It’s probably the DNS server my IP address queried for this beacon, which is why it “responded” to the beacon first. You can see the beacons are seconds apart.
That fact that anyone would access this document outside of a specific network could be cause for concern. An attacker may be exfiltrating other sensitive data, or an insider threat may be taking confidential documents home. When positioned correctly, canarytokens produce few if any false positives. It’s a great tool to help further identify potential adversaries.