You can use a point & click canarytoken from to help test for the
#log4j
/
#Log4Shell
issue.
1) visit ;
2) choose the Log4shell token;
3) enter the email address you wish to be notified at;
4) copy/use the returned string...
Jacob Torrey on stage at
@shmoocon
just released our new Credit Card Canarytoken.
1) Visit to create ur own legit credit-card;
2) Place it in a data-store of your choice;
3) Get an alert when an attacker runs that card!
Read more:
Some commands are overwhelmingly run by attackers on compromised hosts (and seldom ever by regular users in regular usage).
Our
@subtee
has just released a new (free) Canarytoken to make monitoring these commands trivial.
Read more about it -
Keeping up with security research is near impossible.
Vendor pitches & bombastic claims add to the noise.
ThinkstScapes fixes this.
Grab quarterly reviews¹ by sec researchers with decades in the field. (PDF or audio)
__
¹ Free. Not even reg. needed
Easily drop fake AD credentials on your network and detect when they are used.
(Our) Roberto took a pass at automating
@ippsec
's awesome work¹ combining fake AD accounts and Canarytokens.
Check out our blog post at :
__
¹
Would you know if your mobile phone was hacked?
Our new WireGuard token deploys in seconds to give you a VPN config on your device.
An attacker who compromises the phone has to try accessing it, and you get that one alert. When it matters.
Years ago, when we created , we needed icons for each token. We used the MS Word icon for Word tokens, and Amazons logo for AWS tokens.
For DNS tokens, we've always used a headshot of
@dakami
Always such an icon. R.I.P
Our Cloned Website Canarytoken¹ has caught attackers all over the world.
Jacobs new CSS Canarytoken² allows this to work when all u can control is ur sites CSS. (It also works a treat to detect AitM phishing on Azure login portals)
__
¹ Free
² Also Free
Canarytokens force attackers to doubt anything they find on ur servers.
Today, thanks to
@dev0x01
- we ask:
What happens when an attacker finds a Kubeconfig file on ur server?
A: They use it, and u get a reliable alert!
Our new (free) Kubeconfig token:
Two weeks ago we scrambled to beef up the free server to handle the log4j load.
Rushed config changes then & a reboot today killed the in-memory db powering that server.
Tokens created on the free server in the past 2 weeks are gone & shld be recreated.
"In the first 24-ish hours – this Canary did its job".
It's kinda crazy, but it's a rare week that goes by without us getting news of a Canary somewhere earning its keep.
We absolutely 💚 the feedback.
HackerNews discovered Canarytokens (again).
“Within 1 year I found a breach on a developers box and another on a frontend server”
“A dozen canary tokens will probably get your security detection program alot further than your first $2M of splunk license”
You can use a point & click canarytoken from to help test for the
#log4j
/
#Log4Shell
issue.
1) visit ;
2) choose the Log4shell token;
3) enter the email address you wish to be notified at;
4) copy/use the returned string...
Using DFIR reports to examine where Canaries & Canarytokens cld be placed to help defenders win.
This post covers the latest release by the folks at
@TheDFIRReport
¹ - A Bird’s-eye view: IceID to Dagon Locker.
__
¹ We love their work!
What would an attacker do if they found credentials to an arbitrary REST API on your network? (We think most would try them).
Our
@subTee
wrote a quick blogpost on how to use existing Canaries (&& Canarytokens) to detect enterprising attackers like this.
Our
@HeyJayza
just built a Slack-API Canarytoken.
- Drop one on a file-server;
- Drop some on developer laptops;
- Drop some in your code repos.
Attackers think they are getting access to your Slack (they are just announcing their presence).
Cost: $0.00
Result: Priceless!
Before he joined us in Labs, Casey Smith (
@subtee
) was a customer who deployed Canaries && Canarytokens in his org.
In a new blog series, discussing customer deployments, he talks us through how they used "Canaries as Network Motion Sensors".
Last month
@cyb3rops
and
@markus_neis
' chatted about a cool cmdkey technique to point attackers (running Mimikatz) to a Canary/Honeypot.
Riaan and
@nickrohrbs
put out a quick blogpost on how you can use this to lead attackers to your birds.
Thanks to
@nickrohrbs
(and initial work from
@jas502n
) the Canarytoken will now also fetch the vulnerable servers hostname.
(This has the ancillary benefit of the test being less prone to resolution false positives).
Simply use as before.
We are repeating last years crazy Black Friday Offer:
Create as many Canarytokens as you want, completely free¹ at .
At this price, you’d be crazy not to sprinkle some around your network.
__
¹ Tokens only free till heat death of Universe;
With all this talk on QR Codes, it’s worth noting that you can turn ‘em into detection tripwires too.
Attackers follow QR codes too.
Create free QR Code Canarytokens for physical objects at (as of last month paid allows you to bounce to another server)
We had the smart folks at
@NCCGroupInfosec
do a security audit on Canary (to add to our customers peace of mind)
“Overall, Thinkst have done a good job and shown that they are invested in producing not only a security product but also a secure product”
Having a paying Canary customer in Antarctica allowed us to say that we had customers on all 7 continents. (We loved it & used to lord this over
@duosec
when fighting them for "most loved company in infosec").
We no longer have just one customer there...
We now have two ✊💚🐧
Q: What does an attacker do if she finds a mysql-dump file on one of ur servers?
A: She loads it into a tmp-db to go through it
Q: Can we get an alert if that happens?
A: Absolutely!
@JacobTorrey
writes about building our new/free MySQL Canarytoken:
Sent a couple of canary tokens to a threat actor phishing for Metamask account phrases 🦊🪙🪙
The actor used ProtonVPN out of the Netherlands 🇳🇱
Until they forgot...
🇳🇬197.211.52.13
Two weeks ago,
@ollieatnowhere
mentioned¹ being able to generate DNS/HTTP requests when viewing QT & MP4 files.
Our Gerrie Crafford took a swing at building it into a reliable Canarytoken & wrote about the process²
__
¹
² currently not a Canarytoken
A fun little canary for you all in cyber defence to help detect breaches/data theft.
QT & MP4 files can reference external urls via 'rdrf' sections. These can be URLs and thus you can get a DNS resolution and/or HTTP request on open.
Have an MP4 working example in VLC...
A few months ago we released our WireGuard Canarytoken.
Today,
@azhrdesai
released a blogpost on how it works under the hood.
It’s worth checking out to learn how it’s built (and to see him fawn over
@WireGuardVPN
)
It turns out this “Canary cufflink” idea really has taken off.
Drop us a DM if you’d like a set of Canary cufflinks¹
__
¹ for people who don’t wear cufflinks, we totally believed they were pins/badges till our recent re-education
"Frankly it’s a reason enterprise software is often so terrible; tons of options you barely understand or know about, and are configured according to tutorials/examples rather than understanding."
A quick post by our own PaulG, on the use of examples:
Our (free) AWS Canarytokens have always been popular.
Today, we released the Azure alternative on our server¹
Attackers who find ‘em have to use ‘em (and reveal their presence).
Check out Pieter’s blog post at:
__
¹ also free
Everybody wants to be your “single pane of glass”.
Everybody wants to be a platform.
We don’t.
We want to be awesome at what we do & then want to get out of ur way.
If u use
@RumbleDiscovery
u can now lookup IPs in Rumble from ur
@ThinkstCanary
console
If you are running OpenCanary, you should upgrade to 0.6.1
@nvangijzen
discovered two-bytes that let you distinguish our fake MySQL server from a real one.
This allows you to tell if OpenCanary is running on a host (if it's running the MySQL module).
pip upgrade for the fix
@brownglock
@haroonmeer
@halvarflake
Headcount is meaningless because it creates the perverse incentive of wanting to build big teams instead of wanting to build great products.
It's also really discriminatory¹.
__
¹ If we employed hydras or Cerberus or other creatures with multiple heads do they count as 1 or 3?
This month is 8 years since we shipped our first Canaries to customers.
We 💚 that we've never had to raise our prices;
We 💚 that most of our customers from year-1 are still on-board;
We 💚 being able to do this.
Here's to 8 more! ✊💚
AWS Canarytokens are a low-effort, high-fidelity method to detect attackers.
Enterprising attackers could have used gaps in CloudTrail logging to try to identify those “spiked” AWS creds.
Our
@HeyJayza
&
@marcoslaviero
built “Safety Net” to fix this.
“This is ⬛️⬛️⬛️⬛️⬛️⬛️¹ doing a pen test for us and as usual the Canary caught them on the first day³”
__
¹ Name of popular pen test house removed.
² “as usual Canary caught them on the first day”
³ Just an average day
During December, Quinn snuck "breadcrumbs" into our Canary Consoles.
Empirically, attackers find Canaries and trip over them without much help - but now you can trivially drop breadcrumbs to lead them there too.
I think that deception tech (traps, decoys, lures, canaries) is still highly underrated and will become much more important in the coming years
I like it because it plays out it’s strength when your established protection measures and detection logic have already failed
Whoop! Whoop!
GCP Canaries are now ready to roll...
Much like their hardware, AWS and VM brethren, they will install in minutes and require 0 on going admin overhead.
Drop us a note and it will automagically show up on your console!
We ship a bunch of Canary gifts around the world and wanted to cut down on the extra plastic.
Thanks to our friends at the Sparrow Society () future canary-gifts will arrive in sustainable, ethically && locally made bags.
♻️✊💚
A few months ago we released¹ our WireGuard Canarytoken.
Thanks to
@azhrdesai
that token is now available on our free Canarytoken server (at )
$0.00 && Super Useful!
__
¹
Our own
@shifttymike
wrote a blog post on how we use the Linux Audit System (LAS) and ELK to detect "badness" on customer consoles. It's worth a quick read:
If you want some light(ish) reading (that doesn't mention Log4J at all)
@JacobTorrey
has released our Q4-Research-Roundup at
It's free, non-paywalled, covers over 300 confs and is a great read/listen.
You can also (finally) subscribe to future releases.
The recording of our webinar:
"Enterprise Breach Detection in 15-minutes (from the comfort of your couch)" is now available.
You get:
- Bad Jokes/Accents;
- To see us deploy hardware, .vmx, .ova & AWS Canaries (+ dozens of tokens) in under 10 minutes.
SolarWinds¹ "the perpetrators spent months inside the company’s software development labs honing their attack"
This is common. Attackers land & spend months/years before the big hit.
Take 30 mins today & deploy 20 Canaries.
Know when it matters.
__
¹
Know. When it matters.
"having the canary on my network, was the single key signal that I needed"
"I don't know how many of your customers go from, turning on a canary, to finding someone bad in their network but I only got mine going 11/25 & on 12/22 it save my company." (sic)
The CreditCard Canarytoken is super popular && is getting hit really hard.
We know lots of people are getting API-rate-limited.
Sorry.
This is an upstream limitation with our current credit card issuer && We are working to onboard other providers to overcome this.
Our
@wleightond
just pushed out a brand new Canarytoken.
1) Visit ;
2) Create a fake app¹;
3) Download it to your home-screen;
4) Get an alert when anyone else opens it!
Read more about it at
__
¹ Still completely free
Birds of a Feather... We are super pleased to welcome
@sawaba
to Team-Canary.
💚 💚 💚
From next week, he will be making us smarter, and customers happier as he spreads the Tao of the Canary.
We are stoked!
A quick blog post by
@subT3e
on how our canarytokens are used to detect when your websites are cloned (and how this defense¹ holds up against new-style reverse-proxy attacks).
__
¹ This token is also available free at