Copy this URL to your clipboard and use as you wish:
Remember, it gets triggered whenever someone requests the URL.
If the URL is requested as an image (e.g. <img src="">) then a 1x1 image is served. If the URL is surfed in a browser then a blank page is served with fingerprinting Javascript.
Ideas for use:
Copy this URL to your clipboard and use as you wish:
The token is similar to the Web token, however, when the link is loaded the view will be immediately redirected to the specified redirect URL.
Ideas for use:
Copy this URL to your clipboard and use as you wish:
The token is similar to the Fast Redirect token, however, when the link is loaded the user's browser / browser plugin information is captured.
Ideas for use:
Copy this hostname to your clipboard and use as you wish:
Remember, it gets triggered whenever someone performs a DNS lookup of the hostname.
The source IP address shown in the alert is the
Ideas for use:
tail -f /var/log/auth.log | awk '/Accepted publickey for/ { system("host k5198sfh3cw64rhdpm29oo4ga.canarytokens.com") }'
Here is a unique email address:
Remember, it gets triggered whenever someone sends an email to the address.
Ideas for use:
You'll get an alert whenever this document is opened in Microsoft Office, on Windows or Mac OS.
You can rename the document without affecting its operation.
Ideas for use:
Once installed (with admin permissions) you'll get an alert whenever someone (or someone's code) runs your sensitive process. It will automatically provide the command used, computer the command ran on, and the user invoking the command.
Ideas for use:
You'll get an alert whenever this document is opened in Microsoft Office, on Windows or Mac OS.
You can rename the document without affecting its operation.
Ideas for use:
You'll get an alert whenever this document is opened with Acrobat Reader, regardless of the user's security preferences in Reader.
You can rename the document without affecting its operation.
Ideas for use:
Unzip this file in a folder, and get notified when someone browses the folder in Windows Explorer. It will even trigger if someone is browsing the folder via a network share!
The alert will include the network domain and username of the browsing user, if present.
Ideas for use:
Remember, this token is triggered whenever the binary file is executed. For EXEs, this means direct execution and for DLLs, it means they were loaded.
Ideas for use:
Use this Javascript to detect when someone has cloned a webpage. Place this Javascript on the page you wish to protect:
When someone clones your site, they'll include the Javascript. When the Javascript is run it checks whether the domain is expected. If not, it fires the token and you get an alert.
Ideas for use:
The next step is to copy the SQL snippet below and run in your SQL Server database.
When the actions are run, your Canarytoken will be triggered.
Since DNS is used as the underlying transport, the Source IP will be that of a DNS server, not the databserver.
Ideas for use:
There are two ways you can use this token:
1.) Insert it into a MySQL dump of your own:
2.) Download a (pseudo) random MySQL dump with a token already embedded in it
When the MySQL statements are run, your Canarytoken will be triggered.
Ideas for use:
Use this QR Code to token a physical location or object:
When someone scans the QR Code with a reader, it will trigger the URL tied to your token and fire an alert.
Ideas for use:
Scan this QR Code with the WireGuard app on your phone or copy the config below.
Whenever someone tries to use this WireGuard VPN config to see what access it gets them, an alert is triggered.
This WireGuard config can be installed anywhere WireGuard is used, such as on phones, laptops and servers.
Run this SVN command in a dummy repo:
Remember, it gets triggered whenever someone clones the SVN repo.
Don't forget to run
svn commitafter you've added the token.
The source IP address shown in the alert is the
Ideas for use:
This canarytoken is triggered when someone uses this credential pair to access AWS programmatically (through the API).
The key is unique. i.e. There is no chance of somebody guessing these credentials.
If this token fires, it is a clear indication that this set of keys has "leaked".
Ideas for use:
You'll get an alert when someone tries to use your Kubeconfig.
Ideas for use:
The next step is to copy the log4j snippet below and test your systems for the log4shell issue.
If the log line is consumed by a vulnerable log4j library, it will generate an alert on this token.
If this works, you will also obtain the hostname of the vulnerable server.
You can read more on this issue at LunaSec