# Overview
Breadcrumbs are a powerful tool for guiding attackers towards your Canaries. They take the form of profiles or device entries across various different services that an attacker might poke at for vulnerable hosts, leading them directly towards a Canary.
Breadcrumbs are built based on the enabled services of a specific target bird and are templated with the various settings and parameters configured for those services.
The following services and breadcrumb kinds are currently supported:
# Available Breadcrumb Kinds
| Kind | Service | Creates Credentials | Description |
|---|---|---|---|
| ssh-key | SSH | Yes | SSH Key. This crumb generates a valid SSH key pair and a sample config entry. We will provide an extra alert if the public key is detected in any future SSH events on your Canary. You can deploy this breadcrumb by placing the public and private key files into a host's .ssh/ folder, and copying the Host entry into .ssh/config. |
| putty-profile | SSH | No | SSH PuTTY Profile. This crumb creates a session profile for the Canary on the PuTTY SSH client. On a Windows host that runs PuTTY, you can import the session by double clicking the crumb file, or by running reg import putty-sessions.reg in PowerShell or regedit /i putty-sessions.reg in a terminal. |
| rdp-profile | RDP | No | Remote Desktop Profile. This crumb can either be treated like a Canarytoken and left in place somewhere on a host where an attacker might stumble onto it, or it can be imported into Microsoft Remote Desktop as a profile. |
| filezilla-profile | File Transfer (FTP) | No | FTP FileZilla Profile. This crumb creates a Site Manager entry for the FileZilla FTP client. In FileZilla, select File > Import, and import the crumb. This will make the Canary visible in Site Manager. |
| winscp-profile | File Transfer (FTP) | No | WinSCP Profile. This crumb creates a session profile for the Canary on the WinSCP FTP client. On a Windows host that runs WinSCP, you can import the session by double clicking the crumb file, or by running reg import winscp-sessions.reg in PowerShell or regedit /i winscp-sessions.reg in a terminal. |
| windows-ftp-shortcut | File Transfer (FTP) | No | Windows FTP Server Shortcut. This crumb creates a Windows file shortcut to the bird's FTP service. The crumb can be created by dropping the script in the desired location and running it with PowerShell. |
| windows-smb-shortcut | Windows File Share | No | Windows SMB Server Shortcut. This crumb creates a Windows file shortcut to the bird's SMB service. The crumb can be created by dropping the script in the desired location and running it with PowerShell. |
| macos-http-shortcut | Webserver | No | MacOS HTTP Shortcut. This crumb creates a MacOS web page shortcut. The crumb file can simply be dropped somewhere that an attacker might click into it. |
| macos-https-shortcut | Webserver | No | MacOS HTTPS Shortcut. This crumb creates a MacOS web page shortcut. The crumb file can simply be dropped somewhere that an attacker might click into it. |
| windows-http-shortcut | Webserver | No | Windows HTTP Shortcut. This crumb creates a Windows web page shortcut. The crumb file can simply be dropped somewhere that an attacker might click into it. |
| windows-https-shortcut | Webserver | No | Windows HTTPS Shortcut. This crumb creates a Windows web page shortcut. The crumb file can simply be dropped somewhere that an attacker might click into it. |
TIP
Remember to make sure that the desired services are enabled and reachable on the Canary before deploying breadcrumbs. The services can either be enabled on the Console UI, or via the "device configuration" endpoints.
# Breadcrumb Credentials
Certain Breadcrumbs generate and store valid credentials that act as an identifier for the Breadcrumb and make them more appealing to attackers. When creating these Breadcrumbs you must provide a reminder, which will be included in an alert if the credentials are used in an attack on any of your Canaries.
As these Breadcrumb kinds produce static credentials, you can generate them without supplying a node_id to create a set of valid credentials which will still alert on use without creating configuration files referencing a specific Canary.
These Breadcrumbs are currently excluded from the archive produced by downloading without a specified kind.
# Generate Breadcrumb
GET /api/v1/breadcrumb/generate
Generate a specific breadcrumb type for the target bird.
Required Parameters
Optional Parameters
text places the full contents of the breadcrumb into the crumb output field and json splits the contents into separate fields.Response
JSON structure with output content of the crumb generation.
Example
{
"crumb": "$LNKFILE = `EXAMPLE_NODE.lnk`\n$WshShell = New-Object -comObject WScript.Shell\n$Shortcut = $WshShell.CreateShortcut(`$LNKFILE`)\n$Shortcut.TargetPath = `\\\\192.168.0.1\\\\`\n$Shortcut.Save()",
"readme": "\n# SMB Shortcut\nThis crumb creates a windows file shortcut to the bird`s SMB service.\n\nThe crumb can be created by dropping the script in the desired location and running it with\nPowerShell",
"title": "EXAMPLE_NODE.ps1",
"result": "success"
}
2
3
4
5
6
# Download Breadcrumb
GET /api/v1/breadcrumb/download
Download specific breadcrumb type for a target bird, or an archive of all possible breadcrumbs.
Required Parameters
Optional Parameters
text produces a single text file with the contents of the breadcrumb and zip produces a zip archive of the contents.Response
Temporary download link or archive of different breadcrumbs.
Example
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 3806 100 3806 0 0 5368 0 --:--:-- --:--:-- --:--:-- 5368
2
3