Sometimes you want to automate the creation of Canarytokens across your fleet. Perhaps you want every EC2 instance to reach out and fetch a token on creation (or startup). The Canary Console API allows for the automation, but it seems a bad idea to use your API key on every host.
The Canarytoken factory gives you a limited use key that is able to create other tokens. You can leave this key on a host knowing that even if an attacker were able to grab it, he'd be able to create new tokens but not remove (or alter) anything else.
# List Canarytokens available via Canarytoken Factory
TIP
The values returned by this Canarytokens Factory API correspond to the kind parameter used to create
Canarytokens via the Canarytokens Factory. As an example, if you wanted to create a Cloned Web Canarytoken, you would check the
response to this Canarytoken Factory API and use cloned-web to define the Canarytoken type you wish to create via the Canarytoken Factory.
GET /api/v1/canarytokens/factory/list
Lists the Canarytokens available via your Canarytokens Factory.
Required Parameters
auth_tokenstring
A valid auth token
Response
A JSON structure with result indicator and Canarytokens Factory information.
import requests
url ='https://EXAMPLE.canary.tools/api/v1/canarytokens/factory/list'
payload ={'auth_token':'EXAMPLE_AUTH_TOKEN'}
r = requests.get(url, params=payload)print(r.json())
1 2 3 4 5 6 7 8 9 10 11
Response
{"factory_canarytokens":{"aws-id":"Amazon API Key","cloned-web":"Cloned Website","dns":"DNS","doc-msword":"MS Word .docx Document","fast-redirect":"Fast HTTP Redirect","http":"Web","msexcel-macro":"MS Excel .xlsm Document","msword-macro":"MS Word .docm Document","pdf-acrobat-reader":"Acrobat Reader PDF Document","qr-code":"QR Code","signed-exe":"Signed Exe","slack-api":"Slack API Key","slow-redirect":"Slow HTTP Redirect","web-image":"Remote Web Image","windows-dir":"Windows Directory Browsing"},"result":"success"}
An image file for use with web-image tokens (request must be multipart/form-data encoded if parameter is present, required when using web-image)
cloned_webstring
Domain to check against (required when creating cloned-web tokens)
browser_scanner_enabledboolean
Defaults to: true
Enables a Javascript scanner to retrieve more information (only valid with 'http' Canarytokens)
browser_redirect_urlstring
Browser redirect URL is the URL you want your Canarytoken server to redirect attackers to after they have triggered your Canarytoken token (required when creating fast-redirect and slow-redirect tokens)
exestring
The Windows executable that you would like tokened (required when creating signed-exe tokens)
web_imagestring
Image file (jpeg or png) that will be displayed on the Canarytokens URL (required when creating web-image tokens)
docfile
Upload MS Word Document to canarytoken; optionally used with MS Word Document (doc-msword) token. With curl use the following flag -F 'doc=@upload-me.docx; type=application/vnd.openxmlformats-officedocument.wordprocessingml.document'
pdffile
Upload PDF file to canarytoken; optionally used with Adobe PDF canarytoken (pdf-acrobat-reader). With curl use the following flag -F pdf=@upload-me.pdf; type=application/pdf
process_namestring
Name of the process you want to monitor (required when creating sensitive-cmd tokens)
azure_id_cert_file_namestring
Azure ID config will use this as the file path to the certificate (required when creating Azure ID tokens).