BlueTeam
8.System-Monitoring
Canary Tokens

What is Canary Tokens and How to Use It?

Canary tokens are simple, yet effective, tools used for detecting unauthorized access or activity within networks or systems. Here's an overview of Canary tokens:

Canary Token:

  • A Canary token is essentially a piece of data or a file placed within a network or system, designed to act as a tripwire or early warning system when accessed or manipulated without authorization.
  • It can take various forms, such as a file, URL, DNS record, or even a specific piece of text, and is deliberately placed in locations where unauthorized access or activity is suspected.

Operation:

  • Once a Canary token is deployed, any attempt to access, open, modify, or interact with it triggers an alert or notification, indicating potential unauthorized access or activity.
  • Canary tokens are often used in conjunction with monitoring systems, security tools, or threat intelligence platforms to detect and respond to potential security incidents.

How to generate/use Canary Tokens

Canary Tokens ---> https://canarytokens.org/generate (opens in a new tab)

Types of Canary Tokens:

  • File-based Tokens: These tokens are files, documents, or archives that, when accessed or opened, trigger an alert.
  • URL-based Tokens: These tokens are URLs or web links that, when accessed or clicked, trigger an alert.
  • DNS-based Tokens: These tokens are DNS records or subdomains that, when queried or resolved, trigger an alert.
  • Text-based Tokens: These tokens are specific words, phrases, or pieces of code that, when detected or executed, trigger an alert.
  • ...
WiresharkRegular Expression