Canarytokens
Posted by jpluimers on 2023/03/02
Cool: [Wayback/Archive] Canarytokens
Canary tokens are a free, quick, painless way to help defenders discover they’ve been breached (by having attackers announce themselves.)
How tokens works (in 3 short steps):
- Visit the site and get a free token (which could look like an URL or a hostname, depending on your selection.)
- If an attacker ever uses the token somehow, we will give you an out of band (email or sms) notification that it’s been visited.
- As an added bonus, we give you a bunch of hints and tools that increase the likelihood of an attacker tripping on a canary token.
The above documentation is just a small portion of what is at [Wayback/Archive] Canarytokens.org – Quick, Free, Detection for the Masses with even more documentation starting at [Wayback/Archive] Introduction | Canarytokens.
Source code (either the site or a docker image):
- site: [Wayback/Archive] thinkst/canarytokens: Canarytokens helps track activity and actions on your network.
- docker: [Wayback/Archive] thinkst/canarytokens-docker: Docker configuration to quickly setup your own Canarytokens.
It is provided by [Wayback/Archive] Thinkst Canary.
I learned it at the height of the Log4Shell mitigation stress. Some related posts from that period:
- [Wayback/Archive] Log4j RCE: Patch issued but think about mitigating for now • The Register
- [Archive] andreasdotorg on Twitter: “In which the #log4j maintainers do the only sensible thing and nuke the entire feature from orbit. Manul, the #langsec cat, purrs approvingly. https://t.co/oVfwgr9YO7” / Twitter
Via: [Archive] ᖇ⦿ᖘ Gonggrijp on Twitter: “IP in Luxembourg, owned by Frantech Solutions from Cheyenne, WY. Judging from a quick round of Google appears to be a bulletproof VM hoster, with clients to match. ” / Twitter
Below image via [Wayback/Archive] Tweet2Img.com | Perfect Tweet screenshots with just one click
The Wiert Corner - irregular stream of stuff 
Leave a comment