April 24th, 2023
Early Warnings with LimaCharlie + Canarytokens
Matt Bromiley
Here at LimaCharlie, we believe in utilizing as much telemetry as possible to gain insight into suspicious activity within your environment. Our platform allows for you to create or import detection rules, like Sigma or SnapAttack, quickly, so your team can get up and running. Wider visibility means higher fidelity detections. However, what if we could utilize a simple, yet effective, tool to provide an earlier warning of potential attacks? This is where Canarytokens come in.
Thinkst Canarytokens is an innovative tool that allows you to place decoy files, URLs, and other bait on your network or endpoints. When a Canarytoken is triggered, you'll receive an alert, allowing you to take immediate action to prevent any potential threats. With LimaCharlie’s webhook ingestion, we can easily push Canarytoken alerts into LimaCharlie. Let’s walk through this process.
Getting started with the Canarytokens integration
Getting started with LimaCharlie and Canarytokens is easy. Simply sign up for a free account and follow the easy setup instructions. With LimaCharlie's user-friendly interface and Canarytokens' simple deployment process, you can have both systems up and running in no time.
Head over to Canarytokens.org and select the type of token you want to create. For this blog post, we’ll create a Canary that monitors for command execution. We’re going to monitor usage of ping.exe (you might want to modify this for sensitive commands, or deploy multiple Canaries on key systems). More information about this canary type is available on Canarytokens’ documentation.
Let’s head back to LimaCharlie to create a dedicated Canary Token input. We’ve made this super easy for you - simply select “Canary Token” as a new sensor type (This can also be done via the LimaCharlie API or CLI - more detailed documentation on this here):
You’ll need an Installation Key and a secret value, which can be an arbitrary value unique to this webhook:
Once created, you’ll have your webhook listed in the ‘Cloud Adapters’ section of the Sensors list.
The URL to push to this webhook, which you’ll need to finish the Canarytokens configuration, will include the following:
Grab this URL, head back to Canarytokens, and input it in the appropriate field. Give your Canary some metadata, the process name, and install the registry key on the system(s) of interest. Now, we wait for someone to bite!
Canary Webhook Data in LimaCharlie
Luckily, this is all the configuration needed to get Canarytokens data into LimaCharlie. Now, we wait for a Canary to get tripped, which will send an alert to the specified webhook URL. Navigating to the ‘Timeline’ data of our webhook sensor, there is a chance you’ll see an initial “this works” message:
We installed the Canary on a test system and executed our monitored binary - within a second or two, we had a Canary token event represented in our LimaCharlie timeline. Here’s an example alert:
Note that we have some useful metadata associated with the token, including command prompt user and hostnames. Other tokens, such as Office documents, provide significantly more metadata. Given the Canarytoken’s JSON format, the data ingests cleanly into LimaCharlie and requires little follow-up on our part.
Detecting on Canary Events
We’re almost done - the final step is to ensure that Canarytokens appear in our Detections menu, rather than just in the timeline. Remember, Canarytokens come with an inherent fidelity - if they are placed in key locations and opened/accessed/tripped, we are already suspicious of the activity. Thus, a Canarytoken alert itself is enough to generate a detection.
Quick Note: Why not just bring Canarytokens in as detections? We like the idea of keeping the data separate, so you can refer back to Canarytoken data in its own timeline, rather than having to browse through the detection data.
Looking at the Canarytokens’ data, we can see that the data is in simple structured JSON, and we can write a quick rule for it:
All we’re looking for is a token_hit from our canary_token platform - eliminating the need to pivot on sensor details for fidelity. However, notice we transform the reported name of the detection by incorporating the hostname of the system provided in the Canary.
By combining LimaCharlie's EDR capabilities with Canarytokens' early warning system, you can create a powerful, layered defense that will keep your organization safe from even the most sophisticated cyber attacks. To see for yourself how you can leverage Canarytokens with LimaCharlie, try our full-featured free tier or book a demo.