Copy this URL to your clipboard and use as you wish:
Remember, it gets triggered whenever someone requests the URL.
If the URL is requested as an image (e.g. <img src="">) then a 1x1 image is served. If the URL is surfed in a browser then a blank page is served with fingerprinting Javascript.
Copy this URL to your clipboard and use as you wish:
The token is similar to the Web token, however, when the link is loaded the view will be immediately redirected to the specified redirect URL.
Copy this URL to your clipboard and use as you wish:
The token is similar to the Fast Redirect token, however, when the link is loaded the user's browser / browser plugin information is captured.
Copy this hostname to your clipboard and use as you wish:
Remember, it gets triggered whenever someone performs a DNS lookup of the hostname.
The source IP address shown in the alert is the
tail -f /var/log/auth.log | awk '/Accepted publickey for/ { system("host k5198sfh3cw64rhdpm29oo4ga.canarytokens.com") }'
Here is a unique email address:
Remember, it gets triggered whenever someone sends an email to the address.
You'll get an alert whenever this document is opened in Microsoft Office, on Windows or Mac OS.
You can rename the document without affecting its operation.
Once installed (with admin permissions) you'll get an alert whenever someone (or someone's code) runs your sensitive process. It will automatically provide the command used, computer the command ran on, and the user invoking the command.
If the card number is ever used in an authorization, the transaction will be declined, but you will be alerted.
You'll get an alert whenever this document is opened in Microsoft Office, on Windows or Mac OS.
You can rename the document without affecting its operation.
You'll get an alert whenever this document is opened with Acrobat Reader, regardless of the user's security preferences in Reader.
You can rename the document without affecting its operation.
Unzip this file in a folder, and get notified when someone browses the folder in Windows Explorer. It will even trigger if someone is browsing the folder via a network share!
The alert will include the network domain and username of the browsing user, if present.
Remember, this token is triggered whenever the binary file is executed. For EXEs, this means direct execution and for DLLs, it means they were loaded.
Use this Javascript to detect when someone has cloned a webpage. Place this Javascript on the page you wish to protect:
When someone clones your site, they'll include the Javascript. When the Javascript is run it checks whether the domain is expected. If not, it fires the token and you get an alert.
The next step is to copy the SQL snippet below and run in your SQL Server database.
When the actions are run, your Canarytoken will be triggered.
Since DNS is used as the underlying transport, the Source IP will be that of a DNS server, not the database server.
There are two ways you can use this token:
1.) Insert it into a MySQL dump of your own:
2.) Download a (pseudo) random MySQL dump with a token already embedded in it
When the MySQL statements are run, your Canarytoken will be triggered.
Use this QR Code to token a physical location or object:
When someone scans the QR Code with a reader, it will trigger the URL tied to your token and fire an alert.
Scan this QR Code with the WireGuard app on your phone or copy the config below.
Whenever someone tries to use this WireGuard VPN config to see what access it gets them, an alert is triggered.
This WireGuard config can be installed anywhere WireGuard is used, such as on phones, laptops and servers.
Run this SVN command in a dummy repo:
Remember, it gets triggered whenever someone clones the SVN repo.
Don't forget to run
svn commitafter you've added the token.
The source IP address shown in the alert is the
This canarytoken is triggered when someone uses this credential pair to access AWS programmatically (through the API).
The key is unique. i.e. There is no chance of somebody guessing these credentials.
If this token fires, it is a clear indication that this set of keys has "leaked".
This canarytoken is triggered when someone uses this Service Principal Login to access Azure programmatically (through the API).
The Service Principal Login is unique. i.e. There is no chance of somebody guessing these credentials.
If this token fires, it is a clear indication that this Service Principal Login has "leaked".
Ideas for use:
You'll get an alert when someone tries to use your Kubeconfig.
The next step is to copy the log4j snippet below and test your systems for the log4shell issue.
If the log line is consumed by a vulnerable log4j library, it will generate an alert on this token.
If this works, you will also obtain the hostname of the vulnerable server.
You can read more on this issue at LunaSec