Baited Canaries - Monitoring attackers with active beacons

Baited Canaries - Monitoring attackers with active beacons

Canary tokens are not a new idea, but are woefully underused. In this talk I will outline particular use cases and techniques to get more mileage out of the base concept. Rather than just a simple tripwire with limited environments it can be set in, we’ll cover how you can bait these canaries to provide additional context, such as the attackers IP or useragent, which victims visit a phishing page, or the accounts used in exfiltration. Depending on the context, you could even replace creds attackers are trying to phish for without the attackers attackers knowledge, or expand the beacon into something more C&C.

The implementations I will cover include a stealthy JS-based payload designed to trigger when ran outside it’s normal domain, a G-suite payload, as well as PDF/DOCX bait files. Additionally, explanations of how you can use various communication channels such as DNS to expand the reliability and stealthiness. For the DNS channels, a quick coverage of the necessary constraints you need to be aware of will be included, such as allowable character sets, subdomain lengths, # of subdomains, and multipacket stitching for longer messages.

Presented by