Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen
Threat Detection Glossary

Canary Token - Tripwire für frühe Angriffserkennung

Canary Tokens are invisible digital tripwires that trigger an immediate alert if an attacker triggers them. Types: URL tokens (embedded in documents), DNS tokens, AWS key tokens, Excel tokens. Detection of: insider threats, document exfiltration, credential theft, network reconnaissance. Free via canarytokens.org (Thinkst Canary). Deployment in Honeydocs, Active Directory, Kubernetes Secrets.

Canary Tokens are digital tripwires—hidden markers that trigger an immediate alert when an attacker touches or uses them. They are a central tool of deception technology: instead of waiting for known attack signatures, the attacker is lured into exposing themselves through a tempting bait. The term comes from the canaries that warned miners of toxic gases.

How Canary Tokens Work

Token Creation

  • Admin creates a token at canarytokens.org (free)
  • Receives: a unique tracking URL or resource
  • Embeds the token in an attractive target (file, credential, etc.)

Token Activation (Attacker Interacts with Token)

  • URL accessed → HTTP request sent to Canary server
  • DNS query → DNS request visible
  • AWS key used → API call detected

Immediate Notification

  • Alert via email, Slack, webhook
  • Includes: Timestamp, IP address, User-Agent, Geo-location
  • No false positives: no one opens this file legitimately!

Advantage over honeypots

  • No separate system required
  • Embedded in existing infrastructure
  • Very low effort (minutes to set up)
  • Zero false positive rate (when placed correctly)

Token Types and Use Cases

1. Web/URL Token (most common variant)

  • Invisible 1x1 pixel link embedded in document
  • Upon opening: HTTP request → Alert

Use:

  • "Payroll_Confidential.docx" on NAS share
  • If an insider opens the document → immediate alert
  • Contains IP, timestamp → Perpetrator identifiable

2. DNS Token

  • Domain that only appears in the Canary token
  • Upon DNS resolution → Alert (no matter where from!)

Usage:

  • Hostname in network config that should never be contacted
  • When a reconnaissance tool resolves the hostname → Attacker on the network

3. AWS Access Key Token

  • Faked AWS key (looks real!)
  • Format: AKIA[...] (valid-looking format)
  • Canarytokens.org: AWS keys are detected during API calls

Usage:

  • In code repository: "test-credentials.env"
  • On developer’s laptop: ~/.aws/credentials as honeycredential
  • Attacker steals key → uses it → immediate alert

4. Excel/Word Token

  • Macro or external reference in Office document
  • Upon opening: HTTP request (no macro needed! via DDEAUTO)

Deployment:

  • "Q4-Figures_Board.xlsx" on compromised share
  • HR: "Layoff_List.xlsx"

5. Active Directory (AD) Token

  • Honeypot user in AD: "svc-backup-admin"
  • Kerberoastable (SPN set)
  • If someone requests a Kerberos ticket → Alert!
# Create AD honeypot user
New-ADUser -Name "svc-backup-old" `
  -ServicePrincipalNames "HTTP/backup-srv.internal" `
  -PasswordNeverExpires $true
# Canary: If this user is Kerberos-authenticated → Alarm

6. Kubernetes Secret Token

  • Fake Kubernetes Secret with real AWS key format
  • If someone uses the secret value → AWS alert
apiVersion: v1
kind: Secret
metadata:
  name: legacy-aws-credentials   # tempting!
data:
  AWS_ACCESS_KEY_ID: QUtJQVtDQU5BUllUT0tFTl0=  # Canary Key

7. PDF Token

  • Embedded URL in PDF (URL field in form or link)
  • When PDF is opened with Reader → HTTP request

8. MySQL Honeypot Credentials

  • Fake DB connection details in configuration file
  • SQL login attempt against Canary server → Alert

Implementation with canarytokens.org

Quick Start (free)

  1. Create token:

    • https://canarytokens.org/generate
    • Select type: "Web bug / URL token"
    • Enter email for alerts
    • Token memo: "NAS Share - Payroll Summary"
    • Download: finished file with embedded token

  2. Test triggering:

# Call the token URL directly
curl "https://canarytokens.org/[TOKEN]"
# → Immediate email alert!
  1. Self-hosted (Thinkst Canary Open Source):
# Docker setup
git clone https://github.com/thinkst/canarytokens
cd canarytokens
docker-compose up -d

# Configuration (.env):
# CANARY_DOMAINS=canary.internal
# ALERT_EMAIL=security@example.com

Embed token in Word document

# PowerShell - external image (Canary URL) in DOCX
$doc = New-Object -ComObject Word.Application
$document = $doc.Documents.Open("C:\template.docx")
$shape = $document.InlineShapes.AddPicture(
  "http://canarytokens.org/[TOKEN].png",
  $false, $true)
$shape.Width = 1   # 1px - invisible!
$shape.Height = 1
$document.Save()

Alert Analysis and Response

Alert Content (canarytokens.org)

Timestamp: 2026-03-04 14:23:07 UTC
Token:     Payroll_2026 (Excel)
Source IP: 192.168.1.147
User-Agent: Mozilla/5.0 (Windows NT 10.0...)
Geo:       Germany, Gelsenkirchen

Immediate Response

  1. Resolve the IP address internally:
# Check the DHCP log
grep "192.168.1.147" /var/log/dhcpd.log | tail -20
# → "DHCP-Lease: 14:22:50 - LAPTOP-MUELLER-CW"
  1. Identify AD account:
# Windows Security Log 4624 (Login) for this IP
Get-WinEvent -FilterHashtable @{
  LogName='Security'; Id=4624
} | Where SubjectUserName -like "*"
  1. Initiate Incident Response:
    • Temporarily lock the account
    • Take a forensic copy of the laptop
    • Notify HR and Legal (Insider Threat!)

Canary Alert via Slack Webhook

{
  "channel": "#security-alerts",
  "text": "CANARY TRIGGERED: Payroll_2026.xlsx",
  "attachments": [{
    "color": "danger",
    "fields": [
      {"title": "Source IP", "value": "192.168.1.147"},
      {"title": "Time", "value": "2026-03-04 14:23:07 UTC"},
      {"title": "User-Agent", "value": "Chrome/120 Windows"}
    ]
  }]
}

Strategic Token Placement

Network Reconnaissance Detection

  • DNS canary for non-existent servers: "backup-old.internal"
  • If an attacker runs nmap/BloodHound → DNS resolution → Alert
  • Honeypot admin share: \\server\C$\passwords_old

Credential Theft Detection

  • Fake .aws/credentials in default path
  • KeePass file with Canary URL as entry
  • Chrome password file with fake credentials

Lateral Movement Detection

  • Canary user in AD (Kerberoastable)
  • Fake admin credentials in SYSVOL
  • Honeypot RDP session on unused server

Document Exfiltration

  • "Complete_Customer_List.xlsx" (with Canary)
  • "CEO_Salary_Contract.pdf" (with Canary)
  • "M&A;_Internal_Confidential.docx" (with Canary)
  • Each of these files triggers an alert when opened

Return on Investment

  • Setup time: 5–10 minutes per token
  • Cost: free (canarytokens.org)
  • False positive rate: ~0% (when placed correctly)
  • Detection rate: very high (attackers are eager for "tasty" files)

AWARE7 Services on This Topic

Penetrationstest ISO 27001 Beratung
Back to Glossary Book a free consultation