Thanks for this. Added a few “url’s” in the first item in a password managers list like All Kids Trust Funds. Of course those that break into the password manager would see this first and hit it telling me that someone broke into say lastpass or bitwarden.
Interesting. I’ve been playing with it and unfortunately, they don’t seem to work very well. It looks like when using Excel or Word, you need to hit the Enable Macro button before it will work. Even if you do that, Malwarebytes blocks access to the 52.18.63.80 IP address it tries to hit.
I also played with the PDF option. FoxIt has a popup asking you if you want to allow it to reach out to the Internet. Chrome and Edge don’t seem to do anything as I never got an alert that it was opened.
The Windows Folder appears to work, however, since I unzipped it, I’ve been getting multiple prompts from Malwarebytes blocking its repeated attempts to hit 52.18.63.80.
This constant pin to 52.18.63.80 has me a little worried. I probably should have tested this in a VM and not on my laptop. I’m not sure this is too terribly safe so I’m probably going to spend the next hour rolling back to last nights image.
Until someone figures out what it’s trying to do, you might want to steer clear of using it. Especially since it’s trying to hit that IP after I deleted the file.
That IP address points to an AWS server in Ireland and says the user is CanaryTokens.
YouTube just suggested a video to me on Open Canary running on Raspberry Pi or other Pi like device. I happen to have a Rock64 1gb that was a reject from another security device, bought it for $15. Probably going to be pressing it into service pretty soon to play with. From this video, about the only thing you should probably do is spoof the MAC on your Pi, anyone scanning ports that finds a bunch of services with an RPi manufacturers ID will probably expect it is a trap. Spoofing common Intel server style MACs would be a good idea.
I’ve got a canary folder set up on my Windows 10 box in my documents folder and it’s triggered every time I log in. I’m not opening the folder, I’m just logging in.
Is that normal behavior?
I also had to whitelist a handful of domains to get the tokens to fire:
.mobile.pipe.aria.microsoft.com
.mobile.events.data.trafficmanager.net # CNAME for (mobile.pipe.aria.microsoft.com)
.onedscolprduks05.uksouth.cloudapp.azure.com # CNAME for (mobile.pipe.aria.microsoft.com)
.canarytokens.com
.api.mixpanel.com # I believe this is a part of canarytokens
https://twitter.com/TomLawrenceTech
Lawrence Systems's Amazon Page
lawrencesystems | creating Tech Tutorials & Reviews | Patreon
Timestamps