-
Notifications
You must be signed in to change notification settings - Fork 257
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
52beac5
commit b798873
Showing
12 changed files
with
275 additions
and
155 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
|
||
|
||
# Adding a new token | ||
When adding a new token here are a set of steps / checkboxes that are useful to follow. | ||
1. Add a file `canarytokens/{new_token}.py`. Use this file to define all `new_token` specific logic. | ||
2. Create tests in `tests/units/test_new_token.py`. Check that a significant amount of this token specific code is covered by test. | ||
Use: `coverage run --source=./canarytokens/{new_token}.py -m pytest tests/units/test_new_token.py` and view coverage: `coverage report -m` | ||
3. Adding `new_token` models. Add `{new_token_type}TokenRequest`, `{new_token_type}TokenResponse` and `{new_token_type}` to `canarytokens/models.py::Class TokenTypes`. | ||
Add `{new_token_type}TokenHit` and `{new_token_type}TokenHistory`. | ||
Finally add these as entries to `AnyTokenHit, AnyTokenHistory, AnyTokenRequest, AnyTokenResponse`. This allows `parse_obj_as(AnyTokenXXX, data)` to return hydrated object. | ||
4. Token creation happens in `./backend/app.py`. Add a `create_response` handler. This handler should hold all Token specific creation logic. | ||
example: | ||
``` | ||
@create_response.register | ||
def _( | ||
token_request_details: {new_token_type}TokenRequest,canarydrop:Canarydrop, | ||
)->{new_token_type}TokenResponse: | ||
... | ||
# Save canarydrop with token specific details | ||
``` | ||
5. Download happens in `./backend/app.py`. Add a `create_download_response` handler. This handler should hold all the token download specifics. Create a `Download{new_token_type}Request` and `Download{new_token_type}Response` | ||
Example: | ||
``` | ||
@create_download_response.register | ||
def _(download_request_details:DownloadCMDRequest, canarydrop: Canarydrop)->DownloadCMDResponse: | ||
"""Creates a download response for CMD token. | ||
This holds a plain text `{token_value}.reg` file. | ||
""" | ||
return DownloadCMDResponse(...) | ||
``` | ||
|
||
That should be all that is needed to create a new token. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
from canarytokens.models import Hostname | ||
|
||
REG_TEMPLATE = r"""Windows Registry Editor Version 5.00 | ||
; Sensitive command token generated by Thinkst Canary | ||
; Run with admin privs on Windows machine as: reg import FILENAME | ||
; command that will be watched for | ||
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{PROCESS}] | ||
"GlobalFlag"=dword:00000200 | ||
; magic unique canarytoken that will be fired when this command is executed | ||
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\{PROCESS}] | ||
"ReportingMode"=dword:00000001 | ||
"MonitorProcess"="cmd.exe /c start /min powershell.exe -windowstyle hidden -command \\\"&{{$u=$(\\\\\\\"u$env:username\\\\\\\" -replace(\\\\\\\"[^\x00-\x7F]\s\\\\\\\", ''))[0..63] -join \\\\\\\"\\\\\\\";$c=$(\\\\\\\"c$env:computername\\\\\\\" -replace(\\\\\\\"[^\x00-\x7F]\s\\\\\\\", ''))[0..63] -join \\\\\\\"\\\\\\\";Resolve-DnsName -Name \\\\\\\"$c.UN.$u.CMD.{TOKEN_DNS}\\\\\\\"}}\\\"" | ||
""" | ||
|
||
|
||
def make_canary_msreg(token_hostname: Hostname, process_name: str = "klist.exe") -> str: | ||
"""Returns a Microsoft Register .reg file which has a canarytoken and | ||
process name embedded in it. | ||
The token is in a 'hostname' eg: {some}.{thing}.CMD.{token}.{canarytoken_hostname} | ||
Args: | ||
token_hostname (Hostname): {token}.{canarytoken_server_hostname} eg: 1234dsaa.canarytokens.com | ||
process_name (str, optional): Name of the process to monitor. | ||
If extension is not .exe .exe is appended. Defaults to 'klist.exe'. | ||
Returns: | ||
StringIO: a valid .reg file that is to be loaded on a windows machine. | ||
""" | ||
# TODO: use .endswith. | ||
if process_name.find(".exe") == -1: | ||
process_name += ".exe" | ||
|
||
return REG_TEMPLATE.format(TOKEN_DNS=token_hostname, PROCESS=process_name) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.