Detecting Canary Tokens and Seeds Without Raising an Alert

Among the intricate chess game of cybersecurity, canary and seed files have long been touted as silent sentinels, guarding the most sensitive data corridors against unauthorized access. These files are meant to act as traps for intruders, silently alerting me to their presence. But how effective are they in the grand scheme of security?

In this blog post, I will unveil the limitations and potential failures of relying only on canary and seed files for security.

I will also provide a script for red teams to detect canary files without triggering an alert.

Deciphering Canary and Seed Files

Canary and seed files are often introduced as clever ploys, set as traps for the unsuspecting intruder. At their core, these files are simple yet seemingly valuable data or system elements that are strategically placed to appear enticing or crucial. They are monitored closely, and any interaction with these files is considered a red flag, signalling a potential security breach.

What Are Canary and Seed Files?

Canary files are typically dummy files or tokens placed within a system’s critical areas. They might mimic the appearance of sensitive data, system configurations, or credentials. The term ‘canary’ harks back to an older practice in coal mining, where canaries were used as early warning systems for toxic gases. Similarly, in cybersecurity, seed files serve as early indicators of unauthorized access or data breaches.

How Do They Work?

The principle behind canary and seed files is straightforward: place a file that looks important where an attacker is likely to stumble upon it during their unauthorized exploration of a network. These files are silently monitored by security systems. When an attacker interacts with the file — be it opening — an alert is triggered. Theoretically, this allows security teams to detect and respond to the breach promptly.

Inherent Weaknesses of Canary and Seed Files

While canary and seed files are crafted with the intention of acting as early warning systems in the cybersecurity landscape, they come with a set of inherent weaknesses that can significantly diminish their effectiveness. These limitations not only affect the reliability of such measures but also raise questions about their viability as standalone security solutions.

Resource and Maintenance Overhead

Implementing and maintaining canary and seed files require continuous effort and resources. Each file must be convincingly disguised, properly placed, and meticulously monitored. As the network environment changes, these files may need updates or repositioning to remain effective, adding to the administrative burden. For organizations with limited cybersecurity resources, the cost of maintaining these files can outweigh the benefits, especially when considering the availability of more dynamic and less resource-intensive alternatives.

Risk of Desensitization

The effectiveness of canary and seed files is predicated on the assumption that any interaction with them is suspicious. However, false positives can occur — legitimate users might mistakenly access these files, or routine network operations might trigger alerts. Over time, frequent false positives can lead to alert fatigue, where security teams become desensitized to warnings, potentially overlooking genuine threats. This desensitization undermines the very purpose of these files, turning them into a source of noise rather than a reliable signal.

Subscribed

Red Team Script for Detecting Canary and Seed Files (without raising an alert)

As part of a comprehensive cybersecurity strategy, red teams — need effective tools for detecting potential canary and seed files.

Below is a Python script aimed at scanning for, and identifying suspected canary and seed files (specifically docx, pptx, and xlsx files) quietly and efficiently.

Purpose of the Script: This script is designed to help red teams detect the presence of canary and seed files within the environments being tested. By scanning file systems for these files discreetly, the script aims at avoiding canaries and seed files.

import os
import zipfile
import re
import shutil
import time


PATH_TO_CHECK = '/Users/XXXXX/Downloads/file.xlsx'


RED = '\033[91m'
RESET = '\033[0m'


def decompress_and_scan(file_path):
    suspicious = False  # Flag to track if suspicious URLs are found
    temp_dir = "temp_extracted"
    os.makedirs(temp_dir, exist_ok=True)
    original_path = file_path  # Store the original file path
    new_path = file_path + ".zip"  # Define the new file path

    try:
        if os.path.exists(file_path):
            os.rename(file_path, new_path)
            with zipfile.ZipFile(new_path, 'r') as zip_ref:
                zip_ref.extractall(temp_dir)

            url_pattern = re.compile(r'https?://\S+')
            ignored_domains = ['schemas.openxmlformats.org', 'schemas.microsoft.com', 'purl.org','w3.org']

            for root, dirs, files in os.walk(temp_dir):
                for file in files:
                    file_path = os.path.join(root, file)
                    with open(file_path, 'r', errors='ignore') as file:
                        contents = file.read()
                        urls = url_pattern.findall(contents)
                        for url in urls:
                            if not any(domain in url for domain in ignored_domains):
                                print(f"URL Found: {url}")
                                suspicious = True  # Mark as suspicious if a non-ignored URL is found

    except Exception as e:
        print(f"Error processing file {original_path}: {e}")

    finally:
        shutil.rmtree(temp_dir)
        try:
            if os.path.exists(new_path):
                os.rename(new_path, original_path)
        except Exception as e:
            print(f"Error cleaning up: {e}")

    return suspicious

def is_suspicious(file_path):
    if file_path.endswith(('.docx', '.xlsx', '.pptx')):
        return decompress_and_scan(file_path)

    return False

def main():
    if os.path.isfile(PATH_TO_CHECK):
        if is_suspicious(PATH_TO_CHECK):
            print(RED + f"The file {PATH_TO_CHECK} is suspicious." + RESET)
        else:
            print(f"The file {PATH_TO_CHECK} seems normal.")
    elif os.path.isdir(PATH_TO_CHECK):
        for root, dirs, files in os.walk(PATH_TO_CHECK):
            for name in files:
                file_path = os.path.join(root, name)
                if is_suspicious(file_path):
                    print(RED + f"The file {file_path} is suspicious." + RESET)
                else:
                    print(f"The file {file_path} seems normal.")

if __name__ == "__main__":
    main()

The script operates in several steps:

1. Identification: It first identifies whether a given file is a Microsoft Office document (specifically, with .docx, .xlsx, or .pptx extensions). These types of files are essentially zip archives containing various XML and other files, which can be programmatically examined.
2. Decompression and Scanning: Once identified, the script renames the file to a .zip extension and decompresses it into a temporary directory. It then scans through the decompressed contents, looking for URLs using regular expressions. URLs can sometimes indicate external resources or links to malicious sites.
3. Ignoring Certain URLs: Not all URLs are malicious. Many Office documents contain standard schema or namespace URLs that are part of the file’s structure. The script includes an ignored_domains list to filter out these benign URLs, focusing only on the unexpected or potentially harmful ones.
4. Flagging Suspicious Files: If the script finds URLs not on the ignored list, it marks the file as suspicious. This is a heuristic approach and should be tailored according to the specific security context and threat model of your environment.
5. Cleanup and Restoration: After scanning, the script cleans up by deleting the temporary decompressed files and renames the original file back to its initial extension, ensuring no residual clutter or changes.

Using the Script:

To use the script, you need a basic Python environment and some understanding of file paths and regular expressions. Here’s how you can deploy and utilize this script:

1. Setup: Ensure Python is installed on your system. Place the script in a convenient location and update the PATH_TO_CHECK variable to point to the file or directory you want to examine.
2. Run: Execute the script. It will print out any URLs found in the documents it examines, flagging any document containing unexpected URLs as suspicious.
3. Interpret: Review the output. Remember, this script is a starting point — not all flagged documents are necessarily malicious, and not all malicious documents will be flagged. Always follow up with manual review and additional security measures.

Conclusion

Seed and Canary files have inherent limitations and, often, fall short against the sophisticated and continuously evolving strategies of today’s attackers.

Instead, embracing fully-fledged decoys as a means of deception provides a far more robust and effective solution for misleading and trapping adversaries and are much harder to detect.

Furthermore, the script provided, while focused on Microsoft Office documents (docx, pptx, xlsx), represents just the tip of the iceberg in terms of what’s possible of detecting. Similar silent detection strategies can be applied to a wide range of file types and assets, including PDFs, AWS credentials, SVG images, HTML files, and much more.

In conclusion, by moving beyond the limited scope of traditional canary and seed files and embracing a more nuanced and sophisticated approach to deception, organizations can significantly enhance their ability to deceive red teams, adversaries, and ultimately protect their critical assets from the ever-present threats in the digital world.

Link to the code

Come and have a chat with us, if you want to try our deception as a service solution.