Remember to unzip the .docx first, or use scan.sh.
Compile the yara rule for scan.sh to work
yarac canarytoken.yar canarytoken
rule canarytokendomain | |
{ | |
meta: | |
description = "Canarytoken Domain" | |
author = "@singe" | |
strings: | |
$a = /https??:\/\/canarytokens.com\// | |
condition: | |
$a | |
} | |
rule remoteimage_field | |
{ | |
meta: | |
description = "Canarytokened Docx - Remote include via field" | |
author = "@singe" | |
strings: | |
$a = /INCLUDEPICTURE +?"https??:\/\/.{1,200}?" +?\\d/ | |
$b = /INCLUDEPICTURE +?\\d +?"https??:\/\/.{1,200}?"/ | |
condition: | |
any of them | |
} | |
rule remoteimage_rels | |
{ | |
meta: | |
description = "Canarytokened Docx - remote include via relationship" | |
author = "@singe" | |
strings: | |
$a = /<Relationship [^>]*?Type="[^"]*?\/image"[^>]*?Target="https??:\/\/[^"]*?"/ | |
condition: | |
$a | |
} |
#!/bin/bash | |
compiled_rule="canarytoken" | |
red="\033[31m" | |
green="\033[32m" | |
bold="\033[1;97m" | |
reset="\033[0m" | |
echo -e "$bold[+] Scanning: $@ $reset" | |
if [[ ! -f "$@" ]]; then | |
echo -e "$bold[*] File not found, or not a file$reset" | |
exit 2 | |
fi | |
check_zip=$(xxd -l4 -ps "$@") | |
if [[ "$check_zip" != "504b0304" ]]; then | |
echo -e "$bold[*] Not a ZIP file, is it a .docx?$reset" | |
exit 2 | |
fi | |
tmpdir=$(mktemp -d) | |
unzip "$@" -d $tmpdir >/dev/null && \ | |
out=$(yara -mDsLrC $compiled_rule $tmpdir) | |
if [[ "$out" == "" ]]; then | |
echo -e "$green[-] Not tokened$reset" | |
ret=0 | |
else | |
echo "$out" | |
echo -e "$red[x] Canary token found$reset" | |
ret=1 | |
fi | |
rm -rf $tmpdir | |
exit $ret |