Why You Should Be Using These Free Canary Tokens To Detect A Breach! [YouTube Release]

Additional Resources:

Where to make the free tokens, no sign up needed
https://canarytokens.org/

Open Canary
https://opencanary.readthedocs.io/en/latest/

The commercial Canary Tools

Connecting With Us

Lawrence Systems Shirts and Swag

►👕 https://teespring.com/stores/lawrence-technology-services

AFFILIATES & REFERRAL LINKS

Amazon Affiliate Store
:shopping_cart: https://www.amazon.com/shop/lawrencesystemspcpickup

All Of Our Affiliates that help us out and can get you discounts!
:shopping_cart: Affiliates We Love - Lawrence Technology Services

Gear we use on Kit
:shopping_cart: https://kit.com/lawrencesystems

Try ITProTV free of charge and get 30% off!
:shopping_cart: https://go.itpro.tv/lts

Use OfferCode LTSERVICES to get 10% off your order at
:shopping_cart: https://www.techsupplydirect.com/

Digital Ocean Offer Code
:shopping_cart: https://m.do.co/c/85de8d181725

HostiFi UniFi Cloud Hosting Service
:shopping_cart: HostiFi - UniFi cloud hosting

Protect you privacy with a VPN from Private Internet Access
:shopping_cart: https://www.privateinternetaccess.com/pages/buy-vpn/LRNSYS

Patreon
:moneybag: lawrencesystems is creating Tech Tutorials & Reviews | Patreon

:stopwatch: Timestamps :stopwatch:
00:00 Canary Tokens Haroon Meer
01:55 What Are Canary Tokens
04:33 Creating Canary Tokens
05:34 Triggering Tokens
09:57 AWS Canary Tokens
12:50 Canary QR Code
13:42 Windows Folders

Thanks for this. Added a few “url’s” in the first item in a password managers list like All Kids Trust Funds. Of course those that break into the password manager would see this first and hit it telling me that someone broke into say lastpass or bitwarden.

1 Like

Interesting. I’ve been playing with it and unfortunately, they don’t seem to work very well. It looks like when using Excel or Word, you need to hit the Enable Macro button before it will work. Even if you do that, Malwarebytes blocks access to the 52.18.63.80 IP address it tries to hit.

I also played with the PDF option. FoxIt has a popup asking you if you want to allow it to reach out to the Internet. Chrome and Edge don’t seem to do anything as I never got an alert that it was opened.

The Windows Folder appears to work, however, since I unzipped it, I’ve been getting multiple prompts from Malwarebytes blocking its repeated attempts to hit 52.18.63.80.

This constant pin to 52.18.63.80 has me a little worried. I probably should have tested this in a VM and not on my laptop. I’m not sure this is too terribly safe so I’m probably going to spend the next hour rolling back to last nights image.

Until someone figures out what it’s trying to do, you might want to steer clear of using it. Especially since it’s trying to hit that IP after I deleted the file.

That IP address points to an AWS server in Ireland and says the user is CanaryTokens.

YouTube just suggested a video to me on Open Canary running on Raspberry Pi or other Pi like device. I happen to have a Rock64 1gb that was a reject from another security device, bought it for $15. Probably going to be pressing it into service pretty soon to play with. From this video, about the only thing you should probably do is spoof the MAC on your Pi, anyone scanning ports that finds a bunch of services with an RPi manufacturers ID will probably expect it is a trap. Spoofing common Intel server style MACs would be a good idea.

Here’s the video Turn a Raspberry Pi into a Thinkst Canary with OpenCanary (Save $2465) - YouTube

1 Like

Same here. Neither the pdf, excel nor word doc trigger any alarms. All from OSX. I guess the latter is more hardened against leaking info?

I’ve got a canary folder set up on my Windows 10 box in my documents folder and it’s triggered every time I log in. I’m not opening the folder, I’m just logging in.
Is that normal behavior?

I also had to whitelist a handful of domains to get the tokens to fire:

.mobile.pipe.aria.microsoft.com
.mobile.events.data.trafficmanager.net # CNAME for (mobile.pipe.aria.microsoft.com)
.onedscolprduks05.uksouth.cloudapp.azure.com # CNAME for (mobile.pipe.aria.microsoft.com)
.canarytokens.com 
.api.mixpanel.com # I believe this is a part of canarytokens